Snort mailing list archives
Re: Chrooting snort
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 1 Mar 2002 00:39:43 -0800 (PST)
[Any developers want to correct my stupidity? Please feel free!] On Fri, 1 Mar 2002, Alain Tesio wrote:
I didn't know about this option, but there is no reason why it would behave differently in the chroot, the purpose of the chroot command is to provide another environment and the process running inside it should behave the same way. Indeed the only case I can think is this one, when it tries to chroot itself.
I _really_ hate being made to think hard while trying to watch Star Wars. ;-) If you use -t <dir> and HUP snort, it _will_ break. The exec family of calls "replace the current process image with a new process image". Since that's the case, the chroot call becomes 'recursive' as the snort image gets replaced. Some other thoughts below...
The error is: ERROR: OpenPcap() device eth0 open: socket: Operation not permitted So it's because it dropped the root privileges and can't open the interface again, chrooted or not. Is there a reason why snort close the interface when he receives a SIGHUP ?
Well, I'm not a coder so I can't speak for the developers on that. From looking at the code, it's because of the exec(2) family calls. It reloads and restarts the whole program, which includes the binding to the interface. I'm not sure that snort is the one closing the interface. From what I can track thru the man pages and code, it seems to be due to the way that libpcap opens the interace. If the interface was opened without the close-on-exec flag set then it should remain open when snort restarts. But that's handled by a call out to libpcap, so that's where the change would have to be made (I think).
If this constraint is removed, snort could survive the signal if it's started with the chroot command and not the -t option.
Right... It would be spiffy, but since 2.0 is coming around the bend, I think it might have to wait till then (or later) to get 'fixed'. I think there's a handfull of people who are doing chroot'ing, so it's not too big of an issue for the developers right now.
Yes as "ldd snort" says it's using it, it also detects that files like /etc/snort.conf, /etc/passwd or the timezone file are needed because the process attempts to access them.
Spiffy! That's _MUCH_ more clueful that the Sunworld info I found. I'll have to take some time this weekend and give that a whirl.
Well it works for some other things like apache and bind too with similar configuration files, and you don't have to feed it manually with a list of files.
Very, very cool. I know what I'll be tinkering with on Sunday! :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Mar 01)
- BAD TRAFFIC (?) koriun@ipia (Mar 01)
- Re: Chrooting snort Alain Tesio (Feb 28)
- Re: Chrooting snort Erek Adams (Feb 28)