[Snort-users] Run SNORT as different user

Brian bmc at ...950...
Sat Mar 2 07:22:31 EST 2002


According to Fyodor:
> > There is also another way.  If you can make the device that pcap reads
> > from readable by a user or group other than root, then you should be 
> > able to run snort as that user or group.
> > 
> > For example, in openbsd I set my bpf device to g+rw.  This change
> > allows any user in the wheel group to sniff.
> > 
> > crw-rw----  1 root  wheel   23,   0 Mar  2 01:31 /dev/bpf0
> > 
> 
> Although for the moment such features as 'flexresp' and the similar
> (which require root access to initialize) will not work. I believe these
> will be fixed with snort2x design, as for now... ;-) (it could be
> patched but won't look nice, and could cause some other probs with file
> perms and stuff)

Yes, but I have a way around that limitation with a kernel patch.  
Dug Song wrote a patch to OpenBSD 2.7 that allows any user access 
to create raw sockets.  Mark Grimes (Obecian) has updated it for 
OpenBSD 2.9.  

http://www.stateful.net/openbsd/raw4all-2.9.patch

Patches like this are available for other OSs, but thats up to the
user to find them.

-- 
Eagles may soar, but weasels don't get sucked into jet engines. 




More information about the Snort-users mailing list