Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: chroot semantics fubar again in 1.8

From: Dragos Ruiu <dr () kyx net>
Date: Wed, 11 Jul 2001 16:29:20 -0700
Uhm.... by the time your snort in the chroot jail is compromised
and they're mucking in your jail the sensor has _already_ been
tampered with and having the rules and other files there won't make 
much difference, it's just as easy to muck with a compromised
binariy's memory data as it is with it's chroot jail files so little 
overall increased security is gained by not having that stuff in 
the jail, imho...

If you are concerned with that, keep another copy around outside
the jail and wrapper snort with a little script that does a diff and
reports any mods between that and your copy outside the jail.
Even better if  you do this as a aprt of whatever keeps your snort
runningand restarts it.

Of course this is also another reason why we are working to make
sure there are _no_ sensor crashes, even sporadic ones, nevermind 
the nasty ones that can be initiated by specific net traffic, or even
nastier, be exploited.... crashes which I think have been avoided so far,
thankfully. 1.8's non-new features  of snort are all still stable, afaik...
Every new release of snort has always had a little bit of a shakedown 
period for a few weeks as little loose ends turn up, and my thanks to
all that are participating in getting all the kinks out.

Ok... back to that other stuff....

just my 2c,
--dr

P.s.  Here is a small shell script fragment that will restart your
snort if it's gone and log restarts... I recommend putting in a crontab that's
run periodically.... And checking _any_ restarts very carefully!

#!/bin/sh
$i = "snort.conf"
for $IFACE in fxp0 fxp1
do
    if [ -f /var/run/snort_$IFACE.pid ]; then
        if !  ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
              echo `date` snorthup: removing bogus pidfile >>/var/log/messages 
              echo `date` snorthup: restarting absentee snort on $IFACE with conf file $i >>/var/log/messages           
                                    
              rm -f /var/run/snort_$IFACE.pid
              /usr/local/bin/snort -D -c $i -i $IFACE
        fi;
      else
           echo `date` snorthup: restarting snort on $IFACE with conf file $i >>/var/log/messages                       
         
            /usr/local/bin/snort -D -c $i -i $IFACE
      fi
done                                                                      
                                                                

On Wed, 11 Jul 2001, Erik Fichtner wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Why is it that chroot semantics in snort change every release? 

I invoke snort like so:

/usr/local/bin/snort -i fxp0 -c /etc/snort/snort.conf -D -o \
  -g 9999 -u 9999 -t /data/log -l /

in 1.7, this worked perfectly.  It put all my logs in /data/log, and the
snort process couldn't see anything else.   Which is almost how I wanted it.

Now, if I specify -t in 1.8, i get the following error:

Initializing rule chains...
ERROR: Unable to open rules file: /etc/snort/snort.conf or /etc/snort//etc/snort/snort.conf
Fatal Error, Quitting..


You're not seriously trying to tell me that I have to put my rules and my
configuration file with my database passwords into the chroot environment
are you?    At that point, why am I chrooting?   Am I the only person who 
wants the program to insulate itself against the possibility of an attacker
compromising it and tampering with the sensor software? 






- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7TNxbQ7EzrewLMS0RAnTdAKCylWC7/m1COQGa25sVRZnpVhngugCfapbY
jUMHpL3urDAKF6u5QdGUdZ8=
=+3MJ
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: