[Snort-users] Snort Security ? How to ?

d_greenjr d_greenjr at ...125...
Sun Apr 20 05:24:03 EDT 2003


I can answer #2--Running snort as non-root
1. Create a new user (optional) and group (e.g user=sec, group=infosec)
2. Make it so that you cannot login as the user (e.g., shell=/sbin/nologin
or /dev/null)
3. In the snort startup file (e.g., /etc/init.d/rc.d/snort) create the
variable SNORT_UID=sec and make the SNORT_GID=infosec (if you created this
group for security personnel)
4. Add the option "-u $SNORT_UID" to the line $SNORT_PATH/snort -c
$CONFIG -i $IFACE -g $SNORT_GID $OPTIONS.

It should now read as follows:
$SNORT_PATH/snort -c $CONFIG -i $IFACE -u $SNORT_UID -g $SNORT_GID $OPTIONS

At startup snort will be ran as the user sec, group infosec and no one can
login as that user.  You may have to change the permissions on the directory
/var/log/snort to allow this user to read and write.  You also may need to
add the line "config mask:xxx" to the snort config file to make the
permissions on files created by sec to be whatever you want.  I have not
gotten it to work yet, but I will query the group again.  I am doing
something wrong with that line.


----- Original Message -----
From: "Always Bishan" <bishan4u at ...1396...>
To: <snort-users at lists.sourceforge.net>
Sent: Sunday, April 20, 2003 2:57 AM
Subject: [Snort-users] Snort Security ? How to ?


> Hi Snorters,
>
> I am installing a RH8 Linux machine in my network
> which will serve the purpose of a snort sensor and the
> main snort manager.There will be 3 other snort
> sensors(all in linux) which will be logging into the
> snort manager.
>
> Now I want this Snort Manager and the 3 sensors to be
> extremely secure.
> This can be done by:
> 1. Installing minimum number of packages on all the
> boxes.
> 2. Running Snort as non-root.
> 3. Logging to the database as non-root.
> 4. Running Snort in a CHROOT environment.
> 5. Tight privileges to snort files.
>
> Now, for making above possible, I don't have answers
> to the following questions:
>
> 1. What are the dependencies of Snort and what minimum
> packages do I need to install on the machine whose
> purpose is only as a snort sensor?
> 2. How do I run snort as a non-root user ?
> 3. What permissions like SELECT,INSERT,DELETE do I
> need to give to snort user for it to work seamlessly
> with ACID ?
> 4. How do I run Snort in a Chroot environment ? (Is
> there any document explaining this)
>
> I think if we can answer these, we will have a very
> secure snort box.
>
> Please drop in your valuable comments.
>
> Regards,
> Bishan
>
>
> =====
> Celebrating Happiness
> email: bishan at ...8634...
> company: www.sumerusolutions.com
>
> __________________________________________________
> Yahoo! Plus
> For a better Internet experience
> http://www.yahoo.co.uk/btoffer
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list