FW: RE: [Snort-users] weird behaviour with Puresecure

Ryan Hill rhill at ...2446...
Tue May 7 10:27:04 EDT 2002


I received a reply from Demarc directly regarding the issues I raised in an
e-mail to the list yesterday.  Since the reply was rather good, I thought it
might be helpful to forward the reply to the list in case anyone was
interested in the details.  The following message is being forwarded with
permission from the original sender who is not currently subscribed.


Ryan Hill
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com

-----Original Message-----
From: Anthony [mailto:anthony at ...4451...] 
Sent: Monday, May 06, 2002 5:10 PM
To: rhill at ...2446...
Subject: RE: Importing Portscan Logs on 1.6?

> fyi, I've been working with a developer for a few weeks on an unrelated
> issue but thought I would mention that the values passed to the
> validate function inside the web gui are hard coded into the program.
> for whatever reason (probably a good one?! :), the developers have
> chosen not to pass the actual arguments you may be using for your
> sensor (I'm using -o myself).

The validate function of the web browser has to run as the unprivileged
user that the webserver runs as.  Therefore, in order to allow Snort to
validate a ruleset without root privileges, some special arguments must be

For example, a minimal tcpdump file is created and then fed to snort using
the -r flag so that snort will not try to open a device in promisc mode.
Also, the -l argument is used and pointed to the console/tmp/ path which
the webserver user has permission to write to.

> in addition, the validate function also doesn't correctly identify the
> interface your sensor is using, so when you run validate, snort is
> going to run the validation against your default interface, which may
> or may not be the correct interface for the sensor you're testing.

This is done this way because it shouldn't make any difference if an
interface is specified or not since the -T option is used - so no packets
are actually captured on any interface, the rulesets and configuration are
simply checked by snort to check their validity.


More information about the Snort-users mailing list