Snort mailing list archives

Re: non-root user cannot run snort

From: Robert Storey <y2kbug () ms25 hinet net>
Date: Wed, 28 Jan 2004 14:43:07 +0800

On Tue, 27 Jan 2004 13:38:38 -0500
Matt Kettler <mkettler () evi-inc com> wrote:

At 08:09 AM 1/27/2004, Robert Storey wrote:

It's funny that the Snort users manual makes no mention of this
issue. I think I will write the authors and suggest that it be
included.


Quite frankly, it should be *obvious* that snort can't be directly
executed by a non-root user....


Sorry, I should probably have been more specific. Yes, I know that it
would be very unwise to allow any non-root user to initiate a
packet-sniffing session. What I should have said is that the User Manual
needs to point out how to switch control of the process from root to
non-root user after the session is initiated. It's not difficult to do
once you know the trick, but it's not intuitive and it's not mentioned
at all in the User Manual. Remember, there are lots of newbies (like me)
who never saw Snort until a few days ago, and we're leaning as we go
along. I've just written to the maintainers of the manual and suggested
a couple of sentences be added to demonstrate the procedure.

Something else - I did a bit of googling and found a Snort how-to PDF
for FreeBSD ("How to setup and secure Snort, MySQL and Acid on FreeBSD
4.7 Release" by Keith Tokash). He makes the excellent suggestion of
creating a non-privileged user (Snortman) who doesn't have a shell, so
no possibility of logging in and doing damage. You can find a copy here:

www.snort.org/ docs/FreeBSD47RELEASE-Snort-MySQLVer1-3.pdf

Not to be rude, but...


I never take offense by what people say on mailing lists. I appreciate
all the help that I receive. Feel free to point out when I've said
something stupid.

best regards,
Robert
Part-time idiot system-administrator


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

non-root user cannot run snort Robert Storey (Jan 26)
- Re: non-root user cannot run snort Edin Dizdarevic (Jan 26)
  - sending paylog data (tcpdump formated) to more than 2 remote servers. samwun (Jan 26)
- Re: non-root user cannot run snort Erwin Van de Velde (Jan 26)
- Re: non-root user cannot run snort d_greenjr (Jan 26)
- Re: non-root user cannot run snort Robert Storey (Jan 27)
- Re: non-root user cannot run snort Robert Storey (Jan 27)
  - Re: non-root user cannot run snort Matt Kettler (Jan 27)
    - Re: non-root user cannot run snort Robert Storey (Jan 27)
    - Re: non-root user cannot run snort Edin Dizdarevic (Jan 29)
  - Re: non-root user cannot run snort Edin Dizdarevic (Jan 27)
- Re: non-root user cannot run snort Brian (Jan 31)
- <Possible follow-ups>
- RE: non-root user cannot run snort Grime, Richard S (Jan 26)
  - location to download barnyard samwun (Jan 26)