Snort mailing list archives
Re: Chrooting snort
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 28 Feb 2002 22:17:20 -0800 (PST)
On Fri, 1 Mar 2002, Alain Tesio wrote:
On my machine, snort is killed by a SIGHUP when it's not running as root, whether it's in the jail or not:
Right. This is actually as expected, due to the way snort initializes.
05:40:13 root ~ #SNORT="/usr/sbin/snort -D -c /etc/snort/snort.conf -l /var/log/snort -b -d" 05:40:14 root ~ #$SNORT 05:40:17 root ~ #pidof snort 17271 05:40:22 root ~ #killall -HUP snort 05:40:28 root ~ #pidof snort 17271 05:40:30 root ~ #killall -KILL snort
Right. As it should.
05:40:35 root ~ #$SNORT -u snort -g snort 05:41:02 root ~ #pidof snort 17284 05:41:05 root ~ #killall -HUP snort 05:41:13 root ~ #pidof snort
Again, as expected. Snort drops needs root to bind to the interface. Once bound, it drops root privs.
05:41:17 root ~ #chroot /var/chroot/snort $SNORT 05:41:31 root ~ #pidof snort 17289 05:41:39 root ~ #killall -HUP snort 05:41:44 root ~ #pidof snort 17289
This _shouldn't_ work, but since it's using the chroot command instead of the '-t <dir>' option, that could be the reason it does. Hrm.... *goes to open up his C books*
05:41:48 root ~ #killall -KILL snort 05:41:54 root ~ #chroot /var/chroot/snort $SNORT -u snort -g snort 05:42:05 root ~ #pidof snort 17297 05:42:11 root ~ #killall -HUP snort 05:42:15 root ~ #pidof snort 05:42:16 root ~ #
Ok, if I'm following this right, even though it's chrooted, it still needs to have root privs to open the intereface. Since the user and group is changed before the call to execv it no longer has root privs and can't open the interface. Hrm... You might want to try it without the -D option to see what errors snort is tossing when it gets the signal. Looks like I'll have something to tinker with this weekend. :)
Well, with the program I mentioned, if the 8 lines in the configuration are fine for your system, you just type "makejail examples/snort.py" and you have your jail ready.
I've not grabbed a copy and tinkered with it yet, so I'm going to ask a possibly dumb question. Does it handle the libs that need to be linked in with snort? For example, if you compile with mysql support, does it properly handle the need for libmysqlclient.so.10? I do like the fact that it only takes 8 lines of config vs. the 4 files that the create_cell script does. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Mar 01)
- BAD TRAFFIC (?) koriun@ipia (Mar 01)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)