Snort mailing list archives
Re: chroot semantics fubar again in 1.8
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 11 Jul 2001 16:58:06 -0700 (PDT)
On Wed, 11 Jul 2001, Erik Fichtner wrote:
Why is it that chroot semantics in snort change every release?
'Cause we frustrated Marty and Company whining about it! ;-P
I invoke snort like so: /usr/local/bin/snort -i fxp0 -c /etc/snort/snort.conf -D -o \ -g 9999 -u 9999 -t /data/log -l / in 1.7, this worked perfectly. It put all my logs in /data/log, and the snort process couldn't see anything else. Which is almost how I wanted it. Now, if I specify -t in 1.8, i get the following error: Initializing rule chains... ERROR: Unable to open rules file: /etc/snort/snort.conf or /etc/snort//etc/snort/snort.conf Fatal Error, Quitting..
Sure does... Oh, yeah--Once you get it working, you can't SIGHUP it anymore. :( It recurses into the chroot dir since it's now / and then looks inside for the chroot dir again!.
You're not seriously trying to tell me that I have to put my rules and my configuration file with my database passwords into the chroot environment are you? At that point, why am I chrooting? Am I the only person who wants the program to insulate itself against the possibility of an attacker compromising it and tampering with the sensor software?
What I've had to do to make it work: Create the entire set of devices needed. Build a clone of my filesystem inside. And yes Virginia, you have to put the configs and rules inside. Nope, you're not the only person. There's a few out there... One thing that might be considered is not to use DB logging. Log to a binary file, and after a restart, bring it over to the db box and have a snort post process it and place it into the DB. I think that this is a bit of a pain for the developers to fix. I suspect that they are hoarding thier coding mojo for v2.0. :) Since many of them are at BlackHat/DefCon I don't think we'll get a answer right away. Sorry I can't help... ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- chroot semantics fubar again in 1.8 Erik Fichtner (Jul 11)
- Re: chroot semantics fubar again in 1.8 Erek Adams (Jul 11)
- Re: chroot semantics fubar again in 1.8 Jason Haar (Jul 17)
- Re: chroot semantics fubar again in 1.8 Dragos Ruiu (Jul 11)
- Re: chroot semantics fubar again in 1.8 Erek Adams (Jul 11)