Re: [PATCH] Allow Snort to run as non-root with IPFW DAQ

[Todd Wease <twease () sourcefire com>]

Lawrence,

Thanks for the report and patch.  I've created a bug and attached your
patch for the issue.

Todd

On Tue, Mar 5, 2013 at 10:59 PM, Lawrence Teo <lteo () lteo net> wrote:

> Hello,
>
> DAQ 2.0.0's IPFW module has DAQ_CAPA_UNPRIV_START as a capability, but
> on OpenBSD and FreeBSD, superuser privileges are required to open a
> divert socket.  This prevents Snort from running as non-root with the -u
> and -g flags when the IPFW DAQ is used.
>
> If I try to, I'll get the following error (on OpenBSD):
>
> Feb 27 22:13:09 epsilon snort[23552]: FATAL ERROR: Can't start DAQ (-1)
> - ipfw_daq_start: can't create divert socket (Permission denied) !
>
> The attached patch removes DAQ_CAPA_UNPRIV_START from
> ipfw_daq_get_capabilities() so that it is possible to run Snort with the
> IPFW DAQ as non-root.
>
> The following shows Snort running successfully as a non-root _snort user
> on OpenBSD -current using DAQ 2.0.0 with this patch applied.
>
> $ ps uaxwwww | grep snort
> _snort     897  0.0  3.0 346460 15624 ??  Is    Mon04PM    0:04.00
> /usr/local/bin/snort -D -Q -k none --daq ipfw --daq-var port=800 -c
> /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l
> /var/snort/log
>
> I think it is very useful to be able to run Snort as non-root with the
> IPFW DAQ, and I hope you would consider integrating this patch in the
> next DAQ release.
>
> Thank you,
> Lawrence
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!