[Snort-users] Problem with permissions when snort ran as user "snort"

Sp0ng3 B0b sp0ng3b0b at ...9090...
Fri Sep 9 21:40:01 EDT 2005


What's odd is that it did work fine, until a reboot.

Bridge0 is a bridged interface (bonded interface in
linux). I use netoptics taps and aggregate the monitor
ports on the IDS.


--- Evan J <maps.this.address at ...11827...> wrote:

> Exactly a comment I stated a while back. Why doesn't
> Snort set
> ownership of log files to snort but root? I
> understand that in most
> systems `root' account has privilege to run pcap in
> premiscuous mode
> but what about the actual writing to the log files?
> 
> Sp0ng3 B0b, What is bridge0? Is it the actual name
> of your interface?
> Shouldn't it be ep0, xl0, or dc0? Excuse my
> ignorance for I don't use
> OpenBSD...
> 
> On 9/9/05, Sp0ng3 B0b <sp0ng3b0b at ...9090...>
> wrote:
> > I'm running snort 2.4 on an OpenBSD 3.7 IDS.
> > 
> > Snort is started like so:
> > 
> > snort -c /etc/snort/snort.conf -i bridge0 -l
> > /var/log/snort -u snort -g snort -D
> > 
> > The user snort owns /var/log/snort.
> > 
> > Unfortunately, the logfiles permissions are wrong:
> > 
> > drwxr-xr-x  2 snort  snort    512 Sep  9 07:01 .
> > drwxr-xr-x  3 snort  snort    512 Aug  3 22:00 ..
> > -rw-------  1 root   snort   2256 Sep  9 07:07
> > snort.alert.1126274487
> > -rw-------  1 root   snort  39261 Sep  9 07:07
> > snort.log.1126274487
> > 
> > What am I missing here?
> > 
> > 
> > 
> > 
> > 
> > 
> >
>
-------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software
> Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA *
> Development Lifecycle Practices
> > Agile & Plan-Driven Development * Managing
> Projects & Teams * Testing & QA
> > Security * Process Improvement & Measurement *
> http://www.sqe.com/bsce5sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
>
-------------------------------------------------------
> SF.Net email is Sponsored by the Better Software
> Conference & EXPO
> September 19-22, 2005 * San Francisco, CA *
> Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects
> & Teams * Testing & QA
> Security * Process Improvement & Measurement *
> http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list