Snort mailing list archives
Re: chroot semantics fubar again in 1.8
From: Dragos Ruiu <dr () kyx net>
Date: Wed, 11 Jul 2001 16:29:20 -0700
Uhm.... by the time your snort in the chroot jail is compromised and they're mucking in your jail the sensor has _already_ been tampered with and having the rules and other files there won't make much difference, it's just as easy to muck with a compromised binariy's memory data as it is with it's chroot jail files so little overall increased security is gained by not having that stuff in the jail, imho... If you are concerned with that, keep another copy around outside the jail and wrapper snort with a little script that does a diff and reports any mods between that and your copy outside the jail. Even better if you do this as a aprt of whatever keeps your snort runningand restarts it. Of course this is also another reason why we are working to make sure there are _no_ sensor crashes, even sporadic ones, nevermind the nasty ones that can be initiated by specific net traffic, or even nastier, be exploited.... crashes which I think have been avoided so far, thankfully. 1.8's non-new features of snort are all still stable, afaik... Every new release of snort has always had a little bit of a shakedown period for a few weeks as little loose ends turn up, and my thanks to all that are participating in getting all the kinks out. Ok... back to that other stuff.... just my 2c, --dr P.s. Here is a small shell script fragment that will restart your snort if it's gone and log restarts... I recommend putting in a crontab that's run periodically.... And checking _any_ restarts very carefully! #!/bin/sh $i = "snort.conf" for $IFACE in fxp0 fxp1 do if [ -f /var/run/snort_$IFACE.pid ]; then if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then echo `date` snorthup: removing bogus pidfile >>/var/log/messages echo `date` snorthup: restarting absentee snort on $IFACE with conf file $i >>/var/log/messages rm -f /var/run/snort_$IFACE.pid /usr/local/bin/snort -D -c $i -i $IFACE fi; else echo `date` snorthup: restarting snort on $IFACE with conf file $i >>/var/log/messages /usr/local/bin/snort -D -c $i -i $IFACE fi done On Wed, 11 Jul 2001, Erik Fichtner wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why is it that chroot semantics in snort change every release? I invoke snort like so: /usr/local/bin/snort -i fxp0 -c /etc/snort/snort.conf -D -o \ -g 9999 -u 9999 -t /data/log -l / in 1.7, this worked perfectly. It put all my logs in /data/log, and the snort process couldn't see anything else. Which is almost how I wanted it. Now, if I specify -t in 1.8, i get the following error: Initializing rule chains... ERROR: Unable to open rules file: /etc/snort/snort.conf or /etc/snort//etc/snort/snort.conf Fatal Error, Quitting.. You're not seriously trying to tell me that I have to put my rules and my configuration file with my database passwords into the chroot environment are you? At that point, why am I chrooting? Am I the only person who wants the program to insulate itself against the possibility of an attacker compromising it and tampering with the sensor software? - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7TNxbQ7EzrewLMS0RAnTdAKCylWC7/m1COQGa25sVRZnpVhngugCfapbY jUMHpL3urDAKF6u5QdGUdZ8= =+3MJ -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- chroot semantics fubar again in 1.8 Erik Fichtner (Jul 11)
- Re: chroot semantics fubar again in 1.8 Erek Adams (Jul 11)
- Re: chroot semantics fubar again in 1.8 Jason Haar (Jul 17)
- Re: chroot semantics fubar again in 1.8 Dragos Ruiu (Jul 11)
- Re: chroot semantics fubar again in 1.8 Erek Adams (Jul 11)