Snort mailing list archives
RE: Fatal Error OpenLogFile
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 25 Jul 2001 23:50:26 -0700 (PDT)
On Thu, 26 Jul 2001, Scott wrote:
Ok, I ran an strace and the line for mkdir is mkdir("/var/log/snort/xx.xxx.xxx.xx", 0775) = -1 EACCES (Permission denied) the function wanted the directory permissions set to 0775. Once I did that and verified the /var/log/snort was snort/snort the ip directory logs were created. The IP directory that was created has permissions of 0700 and the data file within the IP directory has permissions of 0600. I did change the /var/log/snort to 0755 and it still seems to work.
Dandy!
Now that it logs for the owner/group of snort/snort, how do I get snort to startup as the owner/group snort? or should I let snort run as owner/group root?
[...snippage...]
daemon /usr/sbin/snort -u root -g root -s -d -D \ -i eth1 -l /var/log/snort -c /etc/snort/snort.conf touch /var/lock/subsys/snort
Change the "-u root" and "-g root" to "-u snort" and "-g snort". Make sure you have a user in /etc/passwd called snort. Also make sure that snort is in /etc/groups--Well, that's what I had to do.... :) Now, one thing: Depending on your the permissions on eth1, the snort user may not be able to access it. If not, you either need to change permissions on it so that it could--I think that is a not so good thing, personally--Or you could create a chroot jail for snort. Inside there you would need to build out a /dev and /devices tree that mimics what your system has. I borrowed a tarball from sysadmin that created chroot jails. It's not a perfect thing, but very configureable. I'll stick it at http://www.theadamsfamily.net/~erek/snort/cell.tar.gz if anyone wants. I'm still digging for a copy of the article. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Fatal Error OpenLogFile Chris Owen (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- Re: Fatal Error OpenLogFile J. C. Woods (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- RE: Fatal Error OpenLogFile Erek Adams (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- RE: Fatal Error OpenLogFile Erek Adams (Jul 26)
- Individual rule msg definitions Scott (Jul 26)
- Re: Individual rule msg definitions Dragos Ruiu (Jul 27)
- RE: Individual rule msg definitions Scott (Jul 27)
- Re: Individual rule msg definitions Chris Green (Jul 27)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- <Possible follow-ups>
- RE: Fatal Error OpenLogFile Klimarchuk John (Jul 25)