[Snort-users] Run SNORT as different user

Brian bmc at ...950...
Sat Mar 2 07:22:31 EST 2002

According to Fyodor:
> > There is also another way.  If you can make the device that pcap reads
> > from readable by a user or group other than root, then you should be 
> > able to run snort as that user or group.
> > 
> > For example, in openbsd I set my bpf device to g+rw.  This change
> > allows any user in the wheel group to sniff.
> > 
> > crw-rw----  1 root  wheel   23,   0 Mar  2 01:31 /dev/bpf0
> > 
> Although for the moment such features as 'flexresp' and the similar
> (which require root access to initialize) will not work. I believe these
> will be fixed with snort2x design, as for now... ;-) (it could be
> patched but won't look nice, and could cause some other probs with file
> perms and stuff)

Yes, but I have a way around that limitation with a kernel patch.  
Dug Song wrote a patch to OpenBSD 2.7 that allows any user access 
to create raw sockets.  Mark Grimes (Obecian) has updated it for 
OpenBSD 2.9.  


Patches like this are available for other OSs, but thats up to the
user to find them.

Eagles may soar, but weasels don't get sucked into jet engines. 

More information about the Snort-users mailing list