RE: Snort not logging to the /var/log/snort/alert file

["Jim Hendrick" <jrhendri () maine rr com>]

> Subject: Re: [Snort-users] Snort not logging to the
> /var/log/snort/alert
> file
>
>
> but I did type chmod 777 /var/log/snort under root. Is this
> all I need to do?

AAAHHHHHH!!!! NOOOOOOOO!!!!!!

um, sorry. I had to do that...

You should not simply "chmod 777" anything just to make something easier. If
you do, you are not only creating a potentially disasterous security
problem, you obviously are misunderstanding how the thingy is supposed to
work and need to do a bit of research.

Also (gratuitous advice warning) you should learn a bit about "sudo" before
you do too much simply logging in as root. This is a great utility that
allows a normally non-privileged user to execute single commands as another
user (normally root). I cannot tell you how many times it has  made my life
easier.

One of the first things I do when I build a linux (or any other UNIX) box is
to add my account to the "sudoers" file. You can do this by (as root)
running "visudo" which will put you in a vi-like editor in the configuration
file for sudo. You can find a line that looks like:
# User privilege specification
root    ALL=(ALL) ALL

and duplicate it, replacing "root" with your userid. After this, login as
yourself and try:
sudo pwd
(or any other innocuous command)

sudo will prompt you for your own password and then execute the command as
root.

OK, now we can talk about snort a bit.

Snort should be started as root so it can put the interface into promiscuous
mode.
This also allows it to open the alert file as root (or create one if none
exists).

Like:
sudo snort -A Full -c /wherever/you/have/your/snort.conf -l
/wherever/you/want/to/log

By default it will log to /var/log/snort/ using the filename "alert". If
things work normally, you should not have *any* alert file there when you
start snort and it will immediately create one.

You can do somewhat better than this if you want by creating a separate user
and group with limited permissions (like home directory of /dev/null and
default shell of /bin/false) and have snort change to that user/group after
startup. There are several reasons you might want to do this that I will not
go into right now.
However, snort still needs to be able to read from the network (so it needs
to start as root) and it needs to be able to write to wherever you tell it
(/var/log/snort/alert is normally the default location for the alert file).
If you want to run it as user snort, group snort, then that user/group would
need to be able to write to the appropriate directory.

Like:
sudo snort -u snort -g snort -A Full -c blah blah blah...

and as long as wherever you log to is writable by user (or group) snort,
that will be OK.

That said, many people simply let it run as root (at least when they are
learning) and have /var/log/snort/ owned by root. Snort will try to limit
the number of users who can read its output (you don't want or need
unprivileged users reading what is happening on the network) so it creates
the alert file and related directories only readable by whatever user it is
running as (recall, this is root by default)

The upshot of this long winded rant is that you don't need (or probably
want) to chmod the alert file. You simply let snort start as root and then
make sure when you look at the file you are doing so *as* root. (do take the
time to make friends with "sudo" please.)

Now your original question was that you had removed the alert file while
snort was running and you could not "recreate" it. This has to do with the
fact that the snort process opened the original file when it started and
kept that filehandle open. Your removing the file did not change that fact.
And snort would not normally need to re-create the alert file, so all your
efforts to do so were in vain. If you read some of the documentation, you
would find that if you send a hangup (HUP) signal to a running snort
process, it will cause it to re-read it's configuration files and re-start
writing to the log file (by opening a new one if it needs to).
This is a common way to "rotate" the log file so as not to let it grow
without bound. (That is, you would do something like: (using sudo, or in a
root cronjob)

mv /var/log/snort/alert /var/log/snort/alert.old
kill -HUP `cat /var/run/snort_eth0.pid`

Assuming your snort process is listening to eth0 and you have chosen the
default naming convention for the process id file, this will cause snort to
open a new file /var/log/snort/alert and you can do what you like with the
old one.

Hope this helps. Really sounds like you need to take some time to learn a
bit of basic UNIX while you are learning snort. You should be aware that if
you want (and feel more comfortable in a Windows environment) there is a
win32 port of snort you could play with also.

Later,
Jim




run a command that sends a kill -HUP to the snort process id (PID)



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users