[Snort-users] Run as user?

Erek Adams erek at ...950...
Thu Apr 3 04:51:21 EST 2003


On Thu, 3 Apr 2003, Joe Hill wrote:

> well, I'm not *that* much of a noob ;)

:)  Hey, I had to say it!  :)

> well, I'm a proud member of that group. I cannot find how to give that
> group perms on the device though. It's not in /dev...or /proc...where
> could it be?

I'm not sure about a Linux system, but there is an easy way to find out.
Use lsof and see what devices is being used by Snort.

For example:

[erek at ...8117...]/dev>ps auxww | grep snort
root     25233  0.0  0.0 64496 12180 p5  SN    Fri09AM    0:58.65 snort
[erek at ...8117...]/dev>sudo lsof -p 25233
COMMAND   PID USER   FD   TYPE DEVICE  SIZE/OFF   NODE NAME
snort   25233 root  cwd   VDIR    0,5       512   3651 /var (/dev/wd0f)
snort   25233 root  txt   VREG    0,4   3132923  41825 /usr/local (/dev/wd0e)
snort   25233 root  txt   VREG    0,3     61440  57392 /usr/libexec/ld.so
snort   25233 root  txt   VREG    0,5     11375   7175 /var/run/ld.so.hints
snort   25233 root  txt   VREG    0,3     97692 168506 /usr (/dev/wd0d)
snort   25233 root  txt   VREG    0,3     85720 168500 /usr (/dev/wd0d)
snort   25233 root  txt   VREG    0,3    602889 168483 /usr (/dev/wd0d)
snort   25233 root    0u  VCHR    5,5  0t111941  54791 /dev/ttyp5
snort   25233 root    1u  VCHR    5,5  0t111941  54791 /dev/ttyp5
snort   25233 root    2u  VCHR    5,5  0t111941  54791 /dev/ttyp5
snort   25233 root    3u  VCHR   23,2 0xe3fcc7d  54731 /dev/bpf2
snort   25233 root    4w  VREG    0,5     67142   3694 /var (/dev/wd0f)
snort   25233 root    5u  VREG    0,5     13394   3653 /var (/dev/wd0f)
snort   25233 root    6w  VREG    0,5     69738   3693 /var (/dev/wd0f)
[erek at ...8117...]/dev>ls -al /dev/bpf?
crw-------  1 root  wheel   23,   0 Apr  3 01:34 /dev/bpf0
crw-------  1 root  wheel   23,   1 Mar 30 01:34 /dev/bpf1
crw-------  1 root  wheel   23,   2 Mar 14 22:06 /dev/bpf2
crw-------  1 root  wheel   23,   3 Feb  9 08:33 /dev/bpf3
crw-------  1 root  wheel   23,   4 Feb  9 08:33 /dev/bpf4
crw-------  1 root  wheel   23,   5 Feb  9 08:33 /dev/bpf5
crw-------  1 root  wheel   23,   6 Feb  9 08:33 /dev/bpf6
crw-------  1 root  wheel   23,   7 Feb  9 08:33 /dev/bpf7
crw-------  1 root  wheel   23,   8 Feb  9 08:33 /dev/bpf8
crw-------  1 root  wheel   23,   9 Feb  9 08:33 /dev/bpf9


Now all I have to do is:

	chgrp snort /dev/bpf2
	chmod 660 /dev/bpf2

And all should be well.  You just need to find out what device is being
used by snort to sniff on and then change the group and perms on that
device.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list