[PATCH] Allow Snort to run as non-root with IPFW DAQ

[Lawrence Teo <lteo () lteo net>]

Hello,

DAQ 2.0.0's IPFW module has DAQ_CAPA_UNPRIV_START as a capability, but
on OpenBSD and FreeBSD, superuser privileges are required to open a
divert socket.  This prevents Snort from running as non-root with the -u
and -g flags when the IPFW DAQ is used.

If I try to, I'll get the following error (on OpenBSD):

Feb 27 22:13:09 epsilon snort[23552]: FATAL ERROR: Can't start DAQ (-1)
- ipfw_daq_start: can't create divert socket (Permission denied) !

The attached patch removes DAQ_CAPA_UNPRIV_START from
ipfw_daq_get_capabilities() so that it is possible to run Snort with the
IPFW DAQ as non-root.

The following shows Snort running successfully as a non-root _snort user
on OpenBSD -current using DAQ 2.0.0 with this patch applied.

$ ps uaxwwww | grep snort
_snort     897  0.0  3.0 346460 15624 ??  Is    Mon04PM    0:04.00
/usr/local/bin/snort -D -Q -k none --daq ipfw --daq-var port=800 -c
/etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l
/var/snort/log

I think it is very useful to be able to run Snort as non-root with the
IPFW DAQ, and I hope you would consider integrating this patch in the
next DAQ release.

Thank you,
Lawrence

Attachment: daq_ipfw-remove-capa-unpriv-start.diff
Description:

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!