[Snort-users] chroot'd snort + flexresp
Jeff Nathan
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
This is correct, privileges are dropped before preprocessors are=20
initialized. However, there is a solution... though it's a bit of a hack.
There's a patch floating around for OpenBSD that allows any user to open a=20
raw socket. For those planning on using this sort of functionality, I=20
would suggest using a relatively new version of OpenBSD such that you can=20
restrict the ability of raw socket packet injection to only the snort user. =
The rule in /etc/pf.conf would resemble:
pass out quick all user snort group snort
-Jeff
--On Sunday, July 21, 2002 11:00:47 -0500 David Wollmann=20
<dwol...@puttybox.com> wrote:
> Addendum:
>
> Rereading the source, I notice this at snort.c:303:
>
> /* Drop privelegies if requested, when initialisation is done */
> SetUidGid();
>
> /* if we're using the rules system, it gets initialized here */
> if(pv.use_rules && !conf_done)
> {
> /* initialize all the plugin modules */
> InitPreprocessors();
> InitPlugIns();
> InitOutputPlugins();
> InitTag();
> ...
>
> I assume this means that privileges are dropped before attempting to set
> up the react plug-in, causing the code in sp_react.c to throw a fatal
> error.
>
> Is there any way to force snort to open the raw socket before dropping
> privs?
>
>
> On Sun, Jul 21, 2002 at 07:35:28AM -0500, David Wollmann wrote:
>> OS: OpenBSD 3.1 (patch branch)
>> snort: Version 1.8.7 (Build 128)
>> libnet: 1.0.2a
>>
>> I've succeeded setting up a chroot-jailed snort on OpenBSD.
>>
>> I include the -u and -g options to drop privileges and this works fine
>> until I add flexresp directives to rules, which cause the following
>> error:
>>
>>
>> ERROR: cannot open raw socket for libnet, exiting...
>> Fatal Error, Quitting..
>>
>>
>> With privileges (in other words, running as uid 0), snort loads and =
inits
>> without this error and seems to run fine.
>>
>> After searching google (web & groups) I'm a bit confused about how to
>> solve this problem. In one thread the writer is advised that there was
>> an oversight in snort.c that caused privs to be dropped before
>> completion of initialization and a patch was included. Looking at the
>> copy of snort.c in my source tree, it appears that 1.8.7 does pretty
>> much the same thing as the patch, but I still have this problem.
>>
>> In another thread the advice is to run snort as root.
>>
>> I suppose a jailed snort running with privileges is better than nothing,
>> but I'd prefer to run without privileges, if possible.
>>
>> Any advice?
>>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
--
http://jeff.wwti.com (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- Albert Einstein
--==========876640887==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
iD8DBQE9Tvq1UehcFtvMMcMRAraLAKDkcA5MVaG2EQsB+ryicCt6hVEhMwCgm6ly
AVXTCCX6vPrkMazH7NFfLTg=
=lFvm
-----END PGP SIGNATURE-----
--==========876640887==========--
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users