Chrooting snort

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Chrooting snort

Dave Harrison-3
Hi guys,

There doesn't seem to be much info around on how to chroot snort, and the
limited references to it that I have found, somehow don't seem to feel right.

What I have come to is the following :

/usr/local/bin/snort -D -c /var/snort/etc/snort/snort.conf -l \
        /var/snort/var/log/snort -t /var/snort -u _snort -g _snort

Somehow I just don't trust this since it seems to want to read everything as a
fully relative path, and not simply relative to the chroot.

Can anyone that runs snort (I'm using the snort package from the 3.8 ports)
confirm if this is actually correctly chrooting or if (as I fear) it's not -
nothing in the launch output specifies that a chroot has occurred.

Cheers
Dave

Reply | Threaded
Open this post in threaded view
|

Re: Chrooting snort

David Krause
* Dave Harrison <[hidden email]> [060224 00:18]:

> There doesn't seem to be much info around on how to chroot snort, and the
> limited references to it that I have found, somehow don't seem to feel right.
>
> What I have come to is the following :
>
> /usr/local/bin/snort -D -c /var/snort/etc/snort/snort.conf -l \
>         /var/snort/var/log/snort -t /var/snort -u _snort -g _snort
>
> Somehow I just don't trust this since it seems to want to read everything as a
> fully relative path, and not simply relative to the chroot.
>
> Can anyone that runs snort (I'm using the snort package from the 3.8 ports)
> confirm if this is actually correctly chrooting or if (as I fear) it's not -
> nothing in the launch output specifies that a chroot has occurred.

The way it works is snort first opens the config file and promisc on the
interface, then it chroots.  So the config file option and the log
directory do need to be the full path.  Note that the config file (and
rules) don't need to live in the chroot, or anything else for that
matter except for the log directory.  I think that breaks -HUP however,
but it's safer.

If possible please try or have a look at the 3.9 port as I tried to set
up the user/group and chroot automatically.

From the 3.9 port:
It is recommended that snort be run as an unprivileged chrooted user.
An _snort user/group and log directory has been created for this
purpose.  You should start snort with the following options to take
advantage of this:
        -u _snort -g _snort -t /var/snort
and if you want to log:
        -l /var/snort/log

and the PLIST:
@sample /var/snort/
@owner _snort
@group _snort
@sample /var/snort/log/

David