Re: Snort Security ? How to ? {correctios}

["d_greenjr" <d_greenjr () hotmail com>]

3. should read In the snort startup file (e.g., /etc/init.d/snort)...
And the line is "config umask:xxx" not "config mask:xxx"
----- Original Message -----
From: "d_greenjr" <d_greenjr () hotmail com>
To: <snort-users () lists sourceforge net>
Sent: Sunday, April 20, 2003 8:24 AM
Subject: Re: [Snort-users] Snort Security ? How to ?


> I can answer #2--Running snort as non-root
> 1. Create a new user (optional) and group (e.g user=sec, group=infosec)
> 2. Make it so that you cannot login as the user (e.g., shell=/sbin/nologin
> or /dev/null)
> 3. In the snort startup file (e.g., /etc/init.d/rc.d/snort) create the
> variable SNORT_UID=sec and make the SNORT_GID=infosec (if you created this
> group for security personnel)
> 4. Add the option "-u $SNORT_UID" to the line $SNORT_PATH/snort -c
> $CONFIG -i $IFACE -g $SNORT_GID $OPTIONS.
>
> It should now read as follows:
> $SNORT_PATH/snort -c $CONFIG -i $IFACE -u $SNORT_UID -g $SNORT_GID
$OPTIONS
> At startup snort will be ran as the user sec, group infosec and no one can
> login as that user.  You may have to change the permissions on the
directory
> /var/log/snort to allow this user to read and write.  You also may need to
> add the line "config mask:xxx" to the snort config file to make the
> permissions on files created by sec to be whatever you want.  I have not
> gotten it to work yet, but I will query the group again.  I am doing
> something wrong with that line.
>
>
> ----- Original Message -----
> From: "Always Bishan" <bishan4u () yahoo co uk>
> To: <snort-users () lists sourceforge net>
> Sent: Sunday, April 20, 2003 2:57 AM
> Subject: [Snort-users] Snort Security ? How to ?
>
>
> > Hi Snorters,
> >
> > I am installing a RH8 Linux machine in my network
> > which will serve the purpose of a snort sensor and the
> > main snort manager.There will be 3 other snort
> > sensors(all in linux) which will be logging into the
> > snort manager.
> >
> > Now I want this Snort Manager and the 3 sensors to be
> > extremely secure.
> > This can be done by:
> > 1. Installing minimum number of packages on all the
> > boxes.
> > 2. Running Snort as non-root.
> > 3. Logging to the database as non-root.
> > 4. Running Snort in a CHROOT environment.
> > 5. Tight privileges to snort files.
> >
> > Now, for making above possible, I don't have answers
> > to the following questions:
> >
> > 1. What are the dependencies of Snort and what minimum
> > packages do I need to install on the machine whose
> > purpose is only as a snort sensor?
> > 2. How do I run snort as a non-root user ?
> > 3. What permissions like SELECT,INSERT,DELETE do I
> > need to give to snort user for it to work seamlessly
> > with ACID ?
> > 4. How do I run Snort in a Chroot environment ? (Is
> > there any document explaining this)
> >
> > I think if we can answer these, we will have a very
> > secure snort box.
> >
> > Please drop in your valuable comments.
> >
> > Regards,
> > Bishan
> >
> >
> > =====
> > Celebrating Happiness
> > email: bishan () sumerusolutions com
> > company: www.sumerusolutions.com
> >
> > __________________________________________________
> > Yahoo! Plus
> > For a better Internet experience
> > http://www.yahoo.co.uk/btoffer
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users