Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New User -- Ownership and Logging Questions

From: Erek Adams <erek () snort org>
Date: Fri, 14 Feb 2003 16:50:16 -0500 (EST)
On Fri, 14 Feb 2003, Brian Dellinger wrote:


I have worked with snort binary dumps in the past and have read some of
Northcutt's books, but just yesterday fired up snort for the first time.


Learning ahead of working with it....  Very good.  :)


I spent the last few days going through the manual and the FAQ, but I
have two questions... These may be "thick headed-newbie, missed it in
the man" type things and if so I apologize.  I really did try to find
the answers on my own in the docs before posting.


Cool.  At least you tried.  :)


1) I am running snort using sudo because RH8 won't let my user account
put the card in promiscuous mode as a user.  I don't *want* to run as
root, so I've been doing "sudo snort -b -c snort.conf -l ./snortlog".
        Q:  Any output from snort is then owned and locked to root.  Is
there an easy way to specify the owner of the output or to run cleanly in my
user context?


Sure.  You have a couple of options.

*  Use the -u <user> and/or -g <group> option.
*  Change permissions on your BPF device.
*  Put the interface under group ownership and have yourself and snort in
the group.
*  Use the -m <umask> to set the umask as something that your user could
read.


2) As above, I'm using the command "sudo snort -b -c snort.conf -l
./snortlog"...  From what I thought, using the binary switch would dump
all packets into the ./snortlog/snort.log.123456789 file.  It appears,
however, that packets get filed based on the attack profile (portscan).
Is this a property in snort or in the ruleset?  I'd prefer to have all
packets that trigger alerts dumped into the same log file.


No, that's just the portscan(2) preprocessor.  It drops all its data into
a file that's seperate from the alert or snort.log.<foo> files.  No
packets are ever saved from the portscan(2) preprocessor, only a record
(src ip, dst ip, src port, dst ip, flags, etc) is saved, not the payload.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: