Snort mailing list archives
Re: When run as -u snort, snort does not have correct permissions to open interface.
From: twig les <twigles () yahoo com>
Date: Mon, 15 Jul 2002 16:27:14 -0700 (PDT)
I just tried this on my FreeBSD box and to make it work I had to change ownership of the /var/log/snort/alert and /var/log/snort/portscan.log to the user since they're -rw-------. Either that or open them up. Thanks though, I had forgotten to tun snort as a mere mortal. --- Andy Ozment <andy.ozment () cc gatech edu> wrote:
I am trying to run snort as user & group snort
instead of root. I am
starting snort with the command:
$ /usr/bin/snort -c /usr/etc/snort/snort.conf -i
eth1 -u snort -g snort
Log directory = /var/log/snort
Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup:
eth1: no IPv4 address assigned
--== Initializing Snort ==--
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Initializing Network Interface eth1
ERROR: OpenPcap() device eth1 open:
socket: Operation not permitted
Fatal Error, Quitting..
It appears that snort is not opening the interface
before it drops root
priviledges. I've checked the users group archives,
googled, and google
groups and have not found any useful information. I
know that I have no
IP address assigned - that interface is simply
receiving all of the
traffic sent through a switch (spanned). I use
another interface to
administer the box. I don't see how the lack of IP
address could cause
problems.
Here are my stats:
Linux <name> 2.4.9-34smp #1 SMP Sat Jun 1 06:15:25
EDT 2002 i686 unknown
snort 1.8.6 (Build 105)
tcpdump-3.6.2-11.7.1.0
libpcap-0.6.2-11.7.1.0
I'm sure that this is something stupid that I'm
doing wrong, because
otherwise there would be other posts. I would
greatly appreciate any
pointers you can give me - even just new directions
in which to look.
Thanks,
Andy
--
Andy Ozment
Research Scientist
Georgia Tech College of Computing
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- When run as -u snort, snort does not have correct permissions to open interface. Andy Ozment (Jul 15)
- RE: When run as -u snort, snort does not have correct permissions to open interface. Gene Gomez (Jul 15)
- Re: When run as -u snort, snort does not have correct permissions to open interface. Andy Ozment (Jul 15)
- Re: When run as -u snort, snort does not have correct permissions to open interface. twig les (Jul 15)
- RE: When run as -u snort, snort does not have correct permissions to open interface. Gene Gomez (Jul 15)