[Snort-users] permission issue

Jarrett Carver jarrett.carver at ...11827...
Mon Apr 8 11:24:00 EDT 2013


It looks like you need to make sure that your snort user/group has access
to the logging directory /var/log/snort, and has permissions to create log
files in this directory.

I would try something like:

# chown snort:snort /var/log/snort
# chmod 775 /var/log/snort






On Sat, Apr 6, 2013 at 3:48 PM, Balla István <balla.bmf at ...11827...> wrote:

> Hi Members,
>
> I'm facing problems when I run snort with
>
> sudo /usr/local/snort/bin/snort -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth1
>
> command. I followed the
> http://www.snort.org/assets/158/snortinstallguide293.pdf guide and it
> seemed to work but I got the error message at the end:
>
> ERROR: spo_unified2.c(321) Could not open
> /var/log/snort/snort.u2.1365276051: Permission denied
> Fatal Error, Quitting..
>
> There is no traffic yet on eth1 but I think this issue is related to the
> log somehow.
> I attach below the result of the firstly mentioned command.
>
> Thanks for your advise.
>
>
> ----------------------------------------------------------------------------------------------
> sudo /usr/local/snort/bin/snort -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth1
>
> Running in IDS mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/usr/local/snort/etc/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741
> 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145
> 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181
> 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371
> 34443:34444 41080 50002 55555 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 ]
> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
> PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901
> 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
> 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
> 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
> 9443 9999 11371 34443:34444 41080 50002 55555 ]
> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
> Detection:
>    Search-Method = AC-Full-Q
>     Split Any/Any group = enabled
>     Search-Method-Optimizations = enabled
>     Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine
> /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic detection libs from
> /usr/local/snort/lib/snort_dynamicrules...
> WARNING: No dynamic libraries found in directory
> /usr/local/snort/lib/snort_dynamicrules.
>   Finished Loading all dynamic detection libs from
> /usr/local/snort/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs from
> /usr/local/snort/lib/snort_dynamicpreprocessor/...
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/snort/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> WARNING: ip4 normalizations disabled because not inline.
> WARNING: tcp normalizations disabled because not inline.
> WARNING: icmp4 normalizations disabled because not inline.
> WARNING: ip6 normalizations disabled because not inline.
> WARNING: icmp6 normalizations disabled because not inline.
> Frag3 global config:
>     Max frags: 65536
>     Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>     Bound Address: default
>     Target-based policy: WINDOWS
>     Fragment timeout: 180 seconds
>     Fragment min_ttl:   1
>     Fragment Anomalies: Alert
>     Overlap Limit:     10
>     Min fragment Length:     100
> Stream5 global config:
>     Track TCP sessions: ACTIVE
>     Max TCP sessions: 262144
>     Memcap (for reassembly packet storage): 8388608
>     Track UDP sessions: ACTIVE
>     Max UDP sessions: 131072
>     Track ICMP sessions: INACTIVE
>     Track IP sessions: INACTIVE
>     Log info if session memory consumption exceeds 1048576
>     Send up to 2 active responses
>     Wait at least 5 seconds between responses
>     Protocol Aware Flushing: ACTIVE
>         Maximum Flush Point: 16000
> Stream5 TCP Policy config:
>     Bound Address: default
>     Reassembly Policy: WINDOWS
>     Timeout: 180 seconds
>     Limit on TCP Overlaps: 10
>     Maximum number of bytes to queue per session: 1048576
>     Maximum number of segs to queue per session: 2621
>     Options:
>         Require 3-Way Handshake: YES
>         3-Way Handshake Timeout: 180
>         Detect Anomalies: YES
>     Reassembly Ports:
>       21 client (Footprint)
>       22 client (Footprint)
>       23 client (Footprint)
>       25 client (Footprint)
>       42 client (Footprint)
>       53 client (Footprint)
>       79 client (Footprint)
>       80 client (Footprint) server (Footprint)
>       81 client (Footprint) server (Footprint)
>       109 client (Footprint)
>       110 client (Footprint)
>       111 client (Footprint)
>       113 client (Footprint)
>       119 client (Footprint)
>       135 client (Footprint)
>       136 client (Footprint)
>       137 client (Footprint)
>       139 client (Footprint)
>       143 client (Footprint)
>       161 client (Footprint)
>       additional ports configured but not printed.
> Stream5 UDP Policy config:
>     Timeout: 180 seconds
> HttpInspect Config:
>     GLOBAL CONFIG
>       Max Pipeline Requests:    0
>       Inspection Type:          STATELESS
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /usr/local/snort/etc/unicode.map
>       IIS Unicode Map Codepage: 1252
>       Memcap used for logging URI and Hostname: 150994944
>       Max Gzip Memory: 838860
>       Max Gzip Sessions: 9532
>       Gzip Compress Depth: 65535
>       Gzip Decompress Depth: 65535
>     DEFAULT SERVER CONFIG:
>       Server profile: All
>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381
> 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779
> 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300
> 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
> 50002 55555
>       Server Flow Depth: 0
>       Client Flow Depth: 0
>       Max Chunk Length: 500000
>       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
>       Max Header Field Length: 750
>       Max Number Header Fields: 100
>       Max Number of WhiteSpaces allowed with header folding: 200
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: NO
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Normalize HTTP Headers: NO
>       Inspect HTTP Cookies: YES
>       Inspect HTTP Responses: YES
>       Extract Gzip from responses: YES
>       Unlimited decompression of gzip data from responses: YES
>       Normalize Javascripts in HTTP Responses: YES
>       Max Number of WhiteSpaces allowed with Javascript Obfuscation in
> HTTP responses: 200
>       Normalize HTTP Cookies: NO
>       Enable XFF and True Client IP: NO
>       Log HTTP URI data: NO
>       Log HTTP Hostname data: NO
>       Extended ASCII code support in URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: NO
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: NO
>       UTF 8: YES alert: NO
>       IIS Unicode: YES alert: NO
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory Traversal: YES alert: NO
>       Web Root Traversal: YES alert: NO
>       Apache WhiteSpace: YES alert: NO
>       IIS Delimiter: YES alert: NO
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
> 0x07
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
> 32777 32778 32779
>     alert_fragments: INACTIVE
>     alert_large_fragments: INACTIVE
>     alert_incomplete: INACTIVE
>     alert_multiple_requests: INACTIVE
> FTPTelnet Config:
>     GLOBAL CONFIG
>       Inspection Type: stateful
>       Check for Encrypted Traffic: YES alert: NO
>       Continue to check encrypted data: YES
>     TELNET CONFIG:
>       Ports: 23
>       Are You There Threshold: 20
>       Normalize: YES
>       Detect Anomalies: YES
>     FTP CONFIG:
>       FTP Server: default
>         Ports (PAF): 21 2100 3535
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Identify open data channels: NO
>       FTP Client: default
>         Check for Bounce Attacks: YES alert: YES
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Max Response Length: 256
> SMTP Config:
>     Ports: 25 465 587 691
>     Inspection Type: Stateful
>     Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
> EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
> STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR
> XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT
> X-DRCP X-ERCP X-EXCH50
>     Ignore Data: No
>     Ignore TLS Data: No
>     Ignore SMTP Alerts: No
>     Max Command Line Length: 512
>     Max Specific Command Line Length:
>        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
>        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
>        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
>        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
>        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
>        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
>        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
>        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
>        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
>        XUSR:246
>     Max Header Line Length: 1000
>     Max Response Line Length: 512
>     X-Link2State Alert: Yes
>     Drop on X-Link2State Alert: No
>     Alert on commands: None
>     Alert on unknown commands: No
>     SMTP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>     Log Attachment filename: Enabled
>     Log MAIL FROM Address: Enabled
>     Log RCPT TO Addresses: Enabled
>     Log Email Headers: Enabled
>     Email Hdrs Log Depth: 1464
> SSH config:
>     Autodetection: ENABLED
>     Challenge-Response Overflow Alert: ENABLED
>     SSH1 CRC32 Alert: ENABLED
>     Server Version String Overflow Alert: ENABLED
>     Protocol Mismatch Alert: ENABLED
>     Bad Message Direction Alert: DISABLED
>     Bad Payload Size Alert: DISABLED
>     Unrecognized Version Alert: DISABLED
>     Max Encrypted Packets: 20
>     Max Server Version String Length: 100
>     MaxClientBytes: 19600 (Default)
>     Ports:
>     22
> DCE/RPC 2 Preprocessor Configuration
>   Global Configuration
>     DCE/RPC Defragmentation: Enabled
>     Memcap: 102400 KB
>     Events: co
>     SMB Fingerprint policy: Disabled
>   Server Default Configuration
>     Policy: WinXP
>     Detect ports (PAF)
>       SMB: 139 445
>       TCP: 135
>       UDP: 135
>       RPC over HTTP server: 593
>       RPC over HTTP proxy: None
>     Autodetect ports (PAF)
>       SMB: None
>       TCP: 1025-65535
>       UDP: 1025-65535
>       RPC over HTTP server: 1025-65535
>       RPC over HTTP proxy: None
>     Invalid SMB shares: C$ D$ ADMIN$
>     Maximum SMB command chaining: 3 commands
> DNS config:
>     DNS Client rdata txt Overflow Alert: ACTIVE
>     Obsolete DNS RR Types Alert: INACTIVE
>     Experimental DNS RR Types Alert: INACTIVE
>     Ports: 53
> SSLPP config:
>     Encrypted packets: not inspected
>     Ports:
>       443      465      563      636      989
>       992      993      994      995     7801
>      7802     7900     7901     7902     7903
>      7904     7905     7906     7907     7908
>      7909     7910     7911     7912     7913
>      7914     7915     7916     7917     7918
>      7919     7920
>     Server side data is trusted
> Sensitive Data preprocessor config:
>     Global Alert Threshold: 25
>     Masked Output: DISABLED
> SIP config:
>     Max number of sessions: 40000
>     Max number of dialogs in a session: 4 (Default)
>     Status: ENABLED
>     Ignore media channel: DISABLED
>     Max URI length: 512
>     Max Call ID length: 80
>     Max Request name length: 20 (Default)
>     Max From length: 256 (Default)
>     Max To length: 256 (Default)
>     Max Via length: 1024 (Default)
>     Max Contact length: 512
>     Max Content length: 2048
>     Ports:
>     5060    5061    5600
>     Methods:
>       invite cancel ack bye register options refer subscribe update join
> info message notify benotify do qauth sprack publish service unsubscribe
> prack
> IMAP Config:
>     Ports: 143
>     IMAP Memcap: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> POP Config:
>     Ports: 110
>     POP Memcap: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> Modbus config:
>     Ports:
>     502
> DNP3 config:
>     Memcap: 262144
>     Check Link-Layer CRCs: ENABLED
>     Ports:
>     20000
> Reputation config:
> WARNING: Can't find any whitelist/blacklist entries. Reputation
> Preprocessor disabled.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 3565 Snort rules read
>     3565 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 3565 Option Chains linked into 187 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> +-------------------[Rule Port
> Counts]---------------------------------------
> |             tcp     udp    icmp      ip
> |     src    1478       5       0       0
> |     dst    1737     200       0       0
> |     any     126      44      28      26
> |      nc      52      12       1       0
> |     s+d       3       1       0       0
>
> +----------------------------------------------------------------------------
>
>
> +-----------------------[detection-filter-config]------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[detection-filter-rules]-------------------------------
>
> -------------------------------------------------------------------------------
>
>
> +-----------------------[rate-filter-config]-----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[rate-filter-rules]------------------------------------
> | none
>
> -------------------------------------------------------------------------------
>
>
> +-----------------------[event-filter-config]----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[event-filter-global]----------------------------------
>
> +-----------------------[event-filter-local]-----------------------------------
> | none
>
> +-----------------------[suppression]------------------------------------------
> | none
>
> -------------------------------------------------------------------------------
> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> Verifying Preprocessor Configurations!
> ICMP tracking disabled, no ICMP sessions allocated
> IP tracking disabled, no IP sessions allocated
> WARNING: flowbits key 'file.xlsx' is set but not ever checked.
> WARNING: flowbits key 'file.maki' is set but not ever checked.
> WARNING: flowbits key 'file.rar' is set but not ever checked.
> WARNING: flowbits key 'file.cov' is set but not ever checked.
> WARNING: flowbits key 'file.ppsx' is set but not ever checked.
> WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.
> WARNING: flowbits key 'sybase.tds.connection' is set but not ever checked.
> WARNING: flowbits key 'file.vqf' is set but not ever checked.
> WARNING: flowbits key 'file.bzip' is checked but not ever set.
> WARNING: flowbits key 'file.emf' is set but not ever checked.
> WARNING: flowbits key 'file.wma' is set but not ever checked.
> WARNING: flowbits key 'file.swf.cff' is set but not ever checked.
> WARNING: flowbits key 'file.docm' is set but not ever checked.
> WARNING: flowbits key 'smb.trans2.fileinfo' is set but not ever checked.
> WARNING: flowbits key 'flags.fin' is set but not ever checked.
> WARNING: flowbits key 'acunetix.scanner' is set but not ever checked.
> WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
> WARNING: flowbits key 'file.mpeg' is checked but not ever set.
> WARNING: flowbits key 'file.pecompact' is set but not ever checked.
> WARNING: flowbits key 'smb.smi' is set but not ever checked.
> WARNING: flowbits key 'ms.packager' is set but not ever checked.
> 130 out of 1024 flowbits in use.
>
> [ Port Based Pattern Matching Memory ]
> +- [ Aho-Corasick Summary ] -------------------------------------
> | Storage Format    : Full-Q
> | Finite Automaton  : DFA
> | Alphabet Size     : 256 Chars
> | Sizeof State      : Variable (1,2,4 bytes)
> | Instances         : 144
> |     1 byte states : 131
> |     2 byte states : 13
> |     4 byte states : 0
> | Characters        : 60767
> | States            : 47626
> | Transitions       : 4423222
> | State Density     : 36.3%
> | Patterns          : 3667
> | Match States      : 3540
> | Memory (MB)       : 23.68
> |   Patterns        : 0.28
> |   Match Lists     : 0.43
> |   DFA
> |     1 byte states : 0.80
> |     2 byte states : 22.03
> |     4 byte states : 0.00
> +----------------------------------------------------------------
> [ Number of patterns truncated to 20 bytes: 391 ]
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth1".
> Reload thread starting...
> Reload thread started, thread 0xa688bb40 (4951)
> Decoding Ethernet
> Set gid to 1001
> Set uid to 1001
> ERROR: spo_unified2.c(321) Could not open
> /var/log/snort/snort.u2.1365276051: Permission denied
> Fatal Error, Quitting..
>
>
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130408/40f0649d/attachment.html>


More information about the Snort-users mailing list