Snort mailing list archives

RE: Fatal Error OpenLogFile

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 25 Jul 2001 23:50:26 -0700 (PDT)

On Thu, 26 Jul 2001, Scott wrote:

Ok, I ran an strace and the line for mkdir is
mkdir("/var/log/snort/xx.xxx.xxx.xx", 0775) = -1 EACCES (Permission denied)
the function wanted the directory permissions set to 0775.  Once I did that
and verified the /var/log/snort was snort/snort the ip directory logs were
created. The IP directory that was created has permissions of 0700 and the
data file within the IP directory has permissions of 0600. I did change the
/var/log/snort to 0755 and it still seems to work.


Dandy!

Now that it logs for the owner/group of snort/snort, how do I get snort to
startup as the owner/group snort? or should I let snort run as owner/group
root?


[...snippage...]

 daemon /usr/sbin/snort -u root -g root -s -d -D \
                -i eth1 -l /var/log/snort -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort


Change the "-u root" and "-g root" to "-u snort" and "-g snort".  Make sure
you have a user in /etc/passwd called snort.  Also make sure that snort is in
/etc/groups--Well, that's what I had to do.... :)

Now, one thing:  Depending on your the permissions on eth1, the snort user may
not be able to access it.  If not, you either need to change permissions on it
so that it could--I think that is a not so good thing, personally--Or you
could create a chroot jail for snort.  Inside there you would need to build
out a /dev and /devices tree that mimics what your system has.  I borrowed a
tarball from sysadmin that created chroot jails.  It's not a perfect thing,
but very configureable.

I'll stick it at http://www.theadamsfamily.net/~erek/snort/cell.tar.gz if
anyone wants.  I'm still digging for a copy of the article.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Fatal Error OpenLogFile Chris Owen (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- Re: Fatal Error OpenLogFile J. C. Woods (Jul 25)
  - RE: Fatal Error OpenLogFile Scott (Jul 25)
    - RE: Fatal Error OpenLogFile Erek Adams (Jul 25)
    - RE: Fatal Error OpenLogFile Scott (Jul 25)
    - RE: Fatal Error OpenLogFile Scott (Jul 25)
    - RE: Fatal Error OpenLogFile Erek Adams (Jul 26)
    - Individual rule msg definitions Scott (Jul 26)
    - Re: Individual rule msg definitions Dragos Ruiu (Jul 27)
    - RE: Individual rule msg definitions Scott (Jul 27)
    - Re: Individual rule msg definitions Chris Green (Jul 27)
- <Possible follow-ups>
- RE: Fatal Error OpenLogFile Klimarchuk John (Jul 25)