Snort mailing list archives
Re: (no subject)
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 07 Jun 2004 11:23:43 -0400
At 01:46 PM 6/5/2004, Mike Cohen wrote:
Hello , Im new to snort, and Im trying to create a snort box that runs as a non root user. I have a user snort which is in the group snort_group. I have given the snort_group ownership to the /var/log/snort directory and the /etc/snort directory. whenever I try to start snort as any non root user I get the following. If I use root, or sudo I can start the program fine. Im guessing I need access to the eth0 interface or some particular file or directory somehwere that is associated with starting sniffing on eth0 Can someone help me with this?
Mike, it's impossible to start snort as a non-root user, unless your system is hopelessly insecure, or you've manualy added a kernel patch that provides fine-grained permissions.
The reason is that under a normal *nix kernel only root is capable of opening raw ethernet sockets and sniffing all the traffic coming in to the system.
Any user who can sniff arbitrary packets via the local system will be able to sniff passwords and hijack sessions from any unencrypted sessions on the system with a very high probability of success. While it's possible to avoid weakness, it's VERY likely that such a user would be able to gain root privileges. (do you ever download anything via http which might be executable?? Like, say, RPM updates?)
If you really want snort to run as a non-root user your best bet is to use the -u parameter to make snort setuid to a deprivleged user after it's opened it's promisc socket. This is significantly safer than giving a non-root user sniffing permissions, as anyone exploiting snort after it's setuided will not be able to open new promisc sockets (although they might be able to use the existing one if they are dilligent, this isn't exactly easy)
------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) eric-dated-1083277626 . 193075aa63e273 (Apr 01)
- Re: (no subject) Michael Sconzo (Apr 01)
- <Possible follow-ups>
- RE: (no subject) SRH-Lists (Apr 01)
- (no subject) Christian Morales (Apr 07)
- (no subject) Nitin KAPOOR (May 02)
- (no subject) Nitin KAPOOR (May 02)
- (no subject) ac107029 (May 07)
- (no subject) Mike Cohen (Jun 05)
- upriviileged snort user (was Re: (no subject)) Ken Gunderson (Jun 06)
- Re: upriviileged snort user (was Re: (no subject)) Dirk Geschke (Jun 06)
- Re: (no subject) Matt Kettler (Jun 07)
- Re: (no subject) Mike Cohen (Jun 07)
- Re: (no subject) Matt Kettler (Jun 07)
- upriviileged snort user (was Re: (no subject)) Ken Gunderson (Jun 06)
- (no subject) Michael Shirk (Jun 07)
- (no subject) Zurt (Jun 16)