Snort mailing list archives
Re: Snort Security ? How to ? {correctios}
From: "d_greenjr" <d_greenjr () hotmail com>
Date: Sun, 20 Apr 2003 08:45:18 -0400
3. should read In the snort startup file (e.g., /etc/init.d/snort)... And the line is "config umask:xxx" not "config mask:xxx" ----- Original Message ----- From: "d_greenjr" <d_greenjr () hotmail com> To: <snort-users () lists sourceforge net> Sent: Sunday, April 20, 2003 8:24 AM Subject: Re: [Snort-users] Snort Security ? How to ?
I can answer #2--Running snort as non-root 1. Create a new user (optional) and group (e.g user=sec, group=infosec) 2. Make it so that you cannot login as the user (e.g., shell=/sbin/nologin or /dev/null) 3. In the snort startup file (e.g., /etc/init.d/rc.d/snort) create the variable SNORT_UID=sec and make the SNORT_GID=infosec (if you created this group for security personnel) 4. Add the option "-u $SNORT_UID" to the line $SNORT_PATH/snort -c $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS. It should now read as follows: $SNORT_PATH/snort -c $CONFIG -i $IFACE -u $SNORT_UID -g $SNORT_GID
$OPTIONS
At startup snort will be ran as the user sec, group infosec and no one can login as that user. You may have to change the permissions on the
directory
/var/log/snort to allow this user to read and write. You also may need to add the line "config mask:xxx" to the snort config file to make the permissions on files created by sec to be whatever you want. I have not gotten it to work yet, but I will query the group again. I am doing something wrong with that line. ----- Original Message ----- From: "Always Bishan" <bishan4u () yahoo co uk> To: <snort-users () lists sourceforge net> Sent: Sunday, April 20, 2003 2:57 AM Subject: [Snort-users] Snort Security ? How to ?Hi Snorters, I am installing a RH8 Linux machine in my network which will serve the purpose of a snort sensor and the main snort manager.There will be 3 other snort sensors(all in linux) which will be logging into the snort manager. Now I want this Snort Manager and the 3 sensors to be extremely secure. This can be done by: 1. Installing minimum number of packages on all the boxes. 2. Running Snort as non-root. 3. Logging to the database as non-root. 4. Running Snort in a CHROOT environment. 5. Tight privileges to snort files. Now, for making above possible, I don't have answers to the following questions: 1. What are the dependencies of Snort and what minimum packages do I need to install on the machine whose purpose is only as a snort sensor? 2. How do I run snort as a non-root user ? 3. What permissions like SELECT,INSERT,DELETE do I need to give to snort user for it to work seamlessly with ACID ? 4. How do I run Snort in a Chroot environment ? (Is there any document explaining this) I think if we can answer these, we will have a very secure snort box. Please drop in your valuable comments. Regards, Bishan ===== Celebrating Happiness email: bishan () sumerusolutions com company: www.sumerusolutions.com __________________________________________________ Yahoo! Plus For a better Internet experience http://www.yahoo.co.uk/btoffer ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Security ? How to ? Always Bishan (Apr 20)
- Re: Snort Security ? How to ? d_greenjr (Apr 20)
- Re: Snort Security ? How to ? {correctios} d_greenjr (Apr 22)
- Re: Snort Security ? How to ? d_greenjr (Apr 20)