Snort mailing list archives
Re: [PATCH] Allow Snort to run as non-root with IPFW DAQ
From: Todd Wease <twease () sourcefire com>
Date: Wed, 6 Mar 2013 10:03:18 -0500
Lawrence, Thanks for the report and patch. I've created a bug and attached your patch for the issue. Todd On Tue, Mar 5, 2013 at 10:59 PM, Lawrence Teo <lteo () lteo net> wrote:
Hello, DAQ 2.0.0's IPFW module has DAQ_CAPA_UNPRIV_START as a capability, but on OpenBSD and FreeBSD, superuser privileges are required to open a divert socket. This prevents Snort from running as non-root with the -u and -g flags when the IPFW DAQ is used. If I try to, I'll get the following error (on OpenBSD): Feb 27 22:13:09 epsilon snort[23552]: FATAL ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Permission denied) ! The attached patch removes DAQ_CAPA_UNPRIV_START from ipfw_daq_get_capabilities() so that it is possible to run Snort with the IPFW DAQ as non-root. The following shows Snort running successfully as a non-root _snort user on OpenBSD -current using DAQ 2.0.0 with this patch applied. $ ps uaxwwww | grep snort _snort 897 0.0 3.0 346460 15624 ?? Is Mon04PM 0:04.00 /usr/local/bin/snort -D -Q -k none --daq ipfw --daq-var port=800 -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log I think it is very useful to be able to run Snort as non-root with the IPFW DAQ, and I hope you would consider integrating this patch in the next DAQ release. Thank you, Lawrence ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] Allow Snort to run as non-root with IPFW DAQ Lawrence Teo (Mar 05)
- Re: [PATCH] Allow Snort to run as non-root with IPFW DAQ Todd Wease (Mar 06)