[Snort-users] Snort Security ? How to ?

d_greenjr d_greenjr at ...125...
Sun Apr 20 05:24:03 EDT 2003

I can answer #2--Running snort as non-root
1. Create a new user (optional) and group (e.g user=sec, group=infosec)
2. Make it so that you cannot login as the user (e.g., shell=/sbin/nologin
or /dev/null)
3. In the snort startup file (e.g., /etc/init.d/rc.d/snort) create the
variable SNORT_UID=sec and make the SNORT_GID=infosec (if you created this
group for security personnel)
4. Add the option "-u $SNORT_UID" to the line $SNORT_PATH/snort -c

It should now read as follows:

At startup snort will be ran as the user sec, group infosec and no one can
login as that user.  You may have to change the permissions on the directory
/var/log/snort to allow this user to read and write.  You also may need to
add the line "config mask:xxx" to the snort config file to make the
permissions on files created by sec to be whatever you want.  I have not
gotten it to work yet, but I will query the group again.  I am doing
something wrong with that line.

----- Original Message -----
From: "Always Bishan" <bishan4u at ...1396...>
To: <snort-users at lists.sourceforge.net>
Sent: Sunday, April 20, 2003 2:57 AM
Subject: [Snort-users] Snort Security ? How to ?

> Hi Snorters,
> I am installing a RH8 Linux machine in my network
> which will serve the purpose of a snort sensor and the
> main snort manager.There will be 3 other snort
> sensors(all in linux) which will be logging into the
> snort manager.
> Now I want this Snort Manager and the 3 sensors to be
> extremely secure.
> This can be done by:
> 1. Installing minimum number of packages on all the
> boxes.
> 2. Running Snort as non-root.
> 3. Logging to the database as non-root.
> 4. Running Snort in a CHROOT environment.
> 5. Tight privileges to snort files.
> Now, for making above possible, I don't have answers
> to the following questions:
> 1. What are the dependencies of Snort and what minimum
> packages do I need to install on the machine whose
> purpose is only as a snort sensor?
> 2. How do I run snort as a non-root user ?
> 3. What permissions like SELECT,INSERT,DELETE do I
> need to give to snort user for it to work seamlessly
> with ACID ?
> 4. How do I run Snort in a Chroot environment ? (Is
> there any document explaining this)
> I think if we can answer these, we will have a very
> secure snort box.
> Please drop in your valuable comments.
> Regards,
> Bishan
> =====
> Celebrating Happiness
> email: bishan at ...8634...
> company: www.sumerusolutions.com
> __________________________________________________
> Yahoo! Plus
> For a better Internet experience
> http://www.yahoo.co.uk/btoffer
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list