Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] chroot'd snort + flexresp

0 views
Skip to first unread message

David Wollmann

unread,
Jul 21, 2002, 8:50:50 AM7/21/02
to
OS: OpenBSD 3.1 (patch branch)
snort: Version 1.8.7 (Build 128)
libnet: 1.0.2a

I've succeeded setting up a chroot-jailed snort on OpenBSD.

I include the -u and -g options to drop privileges and this works fine
until I add flexresp directives to rules, which cause the following
error:


ERROR: cannot open raw socket for libnet, exiting...
Fatal Error, Quitting..


With privileges (in other words, running as uid 0), snort loads and inits
without this error and seems to run fine.

After searching google (web & groups) I'm a bit confused about how to
solve this problem. In one thread the writer is advised that there was
an oversight in snort.c that caused privs to be dropped before
completion of initialization and a patch was included. Looking at the
copy of snort.c in my source tree, it appears that 1.8.7 does pretty
much the same thing as the patch, but I still have this problem.

In another thread the advice is to run snort as root.

I suppose a jailed snort running with privileges is better than nothing,
but I'd prefer to run without privileges, if possible.

Any advice?


--
David Wollmann
ICQ: 10742063


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

David Wollmann

unread,
Jul 21, 2002, 12:09:33 PM7/21/02
to
Addendum:

Rereading the source, I notice this at snort.c:303:

/* Drop privelegies if requested, when initialisation is done */
SetUidGid();

/* if we're using the rules system, it gets initialized here */
if(pv.use_rules && !conf_done)
{
/* initialize all the plugin modules */
InitPreprocessors();
InitPlugIns();
InitOutputPlugins();
InitTag();
...

I assume this means that privileges are dropped before attempting to set up the
react plug-in, causing the code in sp_react.c to throw a fatal error.

Is there any way to force snort to open the raw socket before dropping
privs?


On Sun, Jul 21, 2002 at 07:35:28AM -0500, David Wollmann wrote:
> OS: OpenBSD 3.1 (patch branch)
> snort: Version 1.8.7 (Build 128)
> libnet: 1.0.2a
>
> I've succeeded setting up a chroot-jailed snort on OpenBSD.
>
> I include the -u and -g options to drop privileges and this works fine
> until I add flexresp directives to rules, which cause the following
> error:
>
>
> ERROR: cannot open raw socket for libnet, exiting...
> Fatal Error, Quitting..
>
>
> With privileges (in other words, running as uid 0), snort loads and inits
> without this error and seems to run fine.
>
> After searching google (web & groups) I'm a bit confused about how to
> solve this problem. In one thread the writer is advised that there was
> an oversight in snort.c that caused privs to be dropped before
> completion of initialization and a patch was included. Looking at the
> copy of snort.c in my source tree, it appears that 1.8.7 does pretty
> much the same thing as the patch, but I still have this problem.
>
> In another thread the advice is to run snort as root.
>
> I suppose a jailed snort running with privileges is better than nothing,
> but I'd prefer to run without privileges, if possible.
>
> Any advice?
>

Chris Green

unread,
Jul 22, 2002, 10:51:08 AM7/22/02
to
David Wollmann <dwol...@puttybox.com> writes:

> Addendum:
>
> Rereading the source, I notice this at snort.c:303:
>
> /* Drop privelegies if requested, when initialisation is done */
> SetUidGid();
>
> /* if we're using the rules system, it gets initialized here */
> if(pv.use_rules && !conf_done)
> {
> /* initialize all the plugin modules */
> InitPreprocessors();
> InitPlugIns();
> InitOutputPlugins();
> InitTag();
> ...
>
> I assume this means that privileges are dropped before attempting to set up the
> react plug-in, causing the code in sp_react.c to throw a fatal error.
>
> Is there any way to force snort to open the raw socket before dropping
> privs?

Move the Drop after the initializations, thats the way it used to be
and I sent out a request to see if anyone cared if I changed it back
to the old way. No one really did.
--
Chris Green <c...@sourcefire.com>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx

0 new messages