Re: How to run snort with -g and -u flags

[twig les <twigles () yahoo com>]

My understanding of Snort's ability to run as another
user is that it *drops* the privileges to that user. 
This is significant in that you have to start out as
root for packet sniffing (tcpdump makes you do this
too).  So even though I run Snort and the rules update
crontab as user snort, I have to stop and start Snort
as root, which is no problem due to the clunky way our
infrastructure makes me update signatures....

So I guess the way I'll be automating this when I get
around to it is to have a seperate crontab under root
that bounces snort using the startup file about 5
minutes after the signature update runs.  Hope this
helps, sounds like you're 95% done.


--- Tim Goodwin <jaguar_fresh () yahoo com> wrote:
> Hi all
> I run the snort 1.8.7 on OpenBSD. I created user
> snort
> and I run snort with -g snort -u snort. I update
> rules
> with the oinkmaster which is run out of snort user
> crontab everyday. I have problem I hope you can
> help.
> snort users crontab oinkmaster gets new rules and
> work
> fine, at end of crontab I restart snort with kill
> -HUP
> `cat /var/run/snortpid` but it say I not root so I
> cant sniff. Which is true, I not root, I snort at
> that
> time. How I get around this? Also another thing...I
> start snort from the rc.local file but snort start
> as
> root and only root can read /var/run/snortpid file
> so
> I have to manual chmod it to have snort user read
> it.
> What do people do to work with these problems. thank
> you for your time
>
> Marcello
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users