Re: (no subject)

[Mike Cohen <mike.cohen () gmail com>]

thanks for the insight. This makes perfect sense.  I only have a very
minimal *nix understanding, so my perspective is backwards on a lot of
this.

Im just trying to make sure that I can try to lock down my sensor as
much as possible. Are there any other parameters like chroot or the
like that would help lock this down?

Ive read the 3 major snort texts out now but Im not getting that much
from them. I know this is an open ended question, but any suggestions
would help.

Thanks again for the helpful explanation



On Mon, 07 Jun 2004 11:23:43 -0400, Matt Kettler <mkettler () evi-inc com> wrote:
> At 01:46 PM 6/5/2004, Mike Cohen wrote:
> > Hello ,
> >
> > Im new to snort, and Im trying to create a snort box that runs as a
> > non root user.
> > I have a user    snort   which is in the group snort_group.
> > I have given the snort_group ownership to the /var/log/snort
> > directory and the /etc/snort directory.
> >
> > whenever I try to start snort as any non root user I get the
> > following.  If I use root, or sudo I can start the program fine.  Im
> > guessing I need access to the eth0 interface or some particular file
> > or directory somehwere that is associated with starting sniffing on
> > eth0
> >
> > Can someone help me with this?
>
> Mike, it's impossible to start snort as a non-root user, unless your system
> is hopelessly insecure, or you've manualy added a kernel patch that
> provides fine-grained permissions.
>
> The reason is that under a normal *nix kernel only root is capable of
> opening raw ethernet sockets and sniffing all the traffic coming in to the
> system.
>
> Any user who can sniff arbitrary packets via the local system will be able
> to sniff passwords and hijack sessions from any unencrypted sessions on the
> system with a very high probability of success. While it's possible to
> avoid weakness, it's VERY likely that such a user would be able to gain
> root privileges. (do you ever download anything via http which might be
> executable?? Like, say, RPM updates?)
>
> If you really want snort to run as a non-root user your best bet is to use
> the -u parameter to make snort setuid to a deprivleged user after it's
> opened it's promisc socket. This is significantly safer than giving a
> non-root user sniffing permissions, as anyone exploiting snort after it's
> setuided will not be able to open new promisc sockets (although they might
> be able to use the existing one if they are dilligent, this isn't exactly easy)


-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users