Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: chroot semantics fubar again in 1.8

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 11 Jul 2001 16:58:06 -0700 (PDT)
On Wed, 11 Jul 2001, Erik Fichtner wrote:


Why is it that chroot semantics in snort change every release?


'Cause we frustrated Marty and Company whining about it!  ;-P



I invoke snort like so:

/usr/local/bin/snort -i fxp0 -c /etc/snort/snort.conf -D -o \
  -g 9999 -u 9999 -t /data/log -l /

in 1.7, this worked perfectly.  It put all my logs in /data/log, and the
snort process couldn't see anything else.   Which is almost how I wanted it.

Now, if I specify -t in 1.8, i get the following error:

Initializing rule chains...
ERROR: Unable to open rules file: /etc/snort/snort.conf or /etc/snort//etc/snort/snort.conf
Fatal Error, Quitting..


Sure does...  Oh, yeah--Once you get it working, you can't SIGHUP it anymore.
:(  It recurses into the chroot dir since it's now / and then looks inside for
the chroot dir again!.


You're not seriously trying to tell me that I have to put my rules and my
configuration file with my database passwords into the chroot environment
are you?    At that point, why am I chrooting?   Am I the only person who
wants the program to insulate itself against the possibility of an attacker
compromising it and tampering with the sensor software?


What I've had to do to make it work:

Create the entire set of devices needed.
Build a clone of my filesystem inside.
And yes Virginia, you have to put the configs and rules inside.

Nope, you're not the only person.  There's a few out there...  One thing that
might be considered is not to use DB logging.  Log to a binary file, and after
a restart, bring it over to the db box and have a snort post process it and
place it into the DB.

I think that this is a bit of a pain for the developers to fix.  I suspect
that they are hoarding thier coding mojo for v2.0.  :)  Since many of them are
at BlackHat/DefCon I don't think we'll get a answer right away.

Sorry I can't help...

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: