Snort mailing list archives
Re: Chrooting snort
From: Alain Tesio <alain () onesite org>
Date: Fri, 1 Mar 2002 08:36:17 +0100
On Thu, 28 Feb 2002 22:17:20 -0800 (PST) Erek Adams <erek () theadamsfamily net> wrote:
Again, as expected. Snort drops needs root to bind to the interface. Once bound, it drops root privs.05:41:17 root ~ #chroot /var/chroot/snort $SNORT 05:41:31 root ~ #pidof snort 17289 05:41:39 root ~ #killall -HUP snort 05:41:44 root ~ #pidof snort 17289This _shouldn't_ work, but since it's using the chroot command instead of the '-t <dir>' option, that could be the reason it does. Hrm.... *goes to open up his C books*
I didn't know about this option, but there is no reason why it would behave differently in the chroot, the purpose of the chroot command is to provide another environment and the process running inside it should behave the same way. Indeed the only case I can think is this one, when it tries to chroot itself.
05:41:48 root ~ #killall -KILL snort 05:41:54 root ~ #chroot /var/chroot/snort $SNORT -u snort -g snort 05:42:05 root ~ #pidof snort 17297 05:42:11 root ~ #killall -HUP snort 05:42:15 root ~ #pidof snort 05:42:16 root ~ #Ok, if I'm following this right, even though it's chrooted, it still needs to have root privs to open the intereface. Since the user and group is changed before the call to execv it no longer has root privs and can't open the interface. Hrm... You might want to try it without the -D option to see what errors snort is tossing when it gets the signal. Looks like I'll have something to tinker with this weekend. :)
The error is: ERROR: OpenPcap() device eth0 open: socket: Operation not permitted So it's because it dropped the root privileges and can't open the interface again, chrooted or not. Is there a reason why snort close the interface when he receives a SIGHUP ? If this constraint is removed, snort could survive the signal if it's started with the chroot command and not the -t option.
Well, with the program I mentioned, if the 8 lines in the configuration are fine for your system, you just type "makejail examples/snort.py" and you have your jail ready.I've not grabbed a copy and tinkered with it yet, so I'm going to ask a possibly dumb question. Does it handle the libs that need to be linked in with snort? For example, if you compile with mysql support, does it properly handle the need for libmysqlclient.so.10?
Yes as "ldd snort" says it's using it, it also detects that files like /etc/snort.conf, /etc/passwd or the timezone file are needed because the process attempts to access them.
I do like the fact that it only takes 8 lines of config vs. the 4 files that the create_cell script does.
Well it works for some other things like apache and bind too with similar configuration files, and you don't have to feed it manually with a list of files. Alain _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Mar 01)
- BAD TRAFFIC (?) koriun@ipia (Mar 01)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)