Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problems with umask on Snort 3

From: "Carter Waxman \(cwaxman\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 4 Jan 2019 18:18:54 +0000
Snort default if not explicitly set:

        umask(077);    /* set default to be sane */

Adding -m0x1f (000 011 111) on top of user / group settings will give you a max of rwx-r---- instead of the default 
rwx------

From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Friday, January 4, 2019 at 1:09 PM
To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Cc: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] Problems with umask on Snort 3

I'm still getting this problem when i run snort with the 'snort' user and group.  I can't seem to get snort3 to output 
log files with any permissions beyond rw for the owner.  I've tried creating new log directories, verified the default 
umask on the system, and i can't seem to get snort to grant read rights to the group or other sets.  Snort doesn't seem 
to follow the system mask when creating files.

for example, when i (as a regular user) go to create a file:
noah@snort3:~$ touch abc
noah@snort3:~$ ls -l
-rw-rw-r--  1 noah noah     0 Jan  4 12:37 abc

Verify my umask:
noah@snort3:~$ umask
0002

if then (as a regular user) i try to run snort and create logs:
snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l /home/noah/snort-logs/
i can then check the permissions on those log files:
noah@snort3:~$ ls -l snort-logs/
-rw------- 1 noah noah 1045217 Jan  4 12:56 alert_csv.txt.1546624609

you can see that snort creates files with 600 for the file permissions, when the system default is 644.  I can't get 
snort in any way (root, different user account, working with the -m option) to create files with 644 mode.

if i run snort with the snort user and group:
sudo mkdir /var/log/snort
sudo chown snort:snort /var/log/snort
sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l /var/log/snort -u snort -g snort

then check the output, You can see snort switching user and group id's:
Commencing packet processing
++ [0] /home/noah/pcaps/maccdc2012_00000.pcap
Set GID to 1002
Set UID to 999

and in the output file, the user and group are correct (snort:snort), but the permissions are again 600, not 644 as 
you'd expect
noah@snort3:~$ ls -l /var/log/snort
-rw------- 1 snort snort 514546 Jan  4 13:06 alert_csv.txt.1546625184

 Is this a bug with snort, or am i doing something wrong?

thanks for your help.



On Fri, Jan 4, 2019 at 5:39 PM Carter Waxman (cwaxman) <cwaxman () cisco com<mailto:cwaxman () cisco com>> wrote:
*lowercase u and g

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
"Carter Waxman (cwaxman) via Snort-devel" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: "Carter Waxman (cwaxman)" <cwaxman () cisco com<mailto:cwaxman () cisco com>>
Date: Friday, January 4, 2019 at 11:38 AM
To: Noah Dietrich <noah_dietrich () 86penny org<mailto:noah_dietrich () 86penny org>>, "snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Subject: Re: [Snort-devel] Problems with umask on Snort 3

Setting umask places limits on newly created files, it doesn’t set the actual permissions. Also, the permissions in 
umask are inverted, so umask of 0x01FF will actually not allow any permission bits to be set. It sounds like what you 
actually want is to create a user for your Snort process (for writing, leaving it root isn’t a good idea…), a group for 
Snort readers, and set the process user / group with -U / -G.

-Carter

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Noah Dietrich <noah_dietrich () 86penny org<mailto:noah_dietrich () 86penny org>>
Date: Thursday, January 3, 2019 at 1:09 PM
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] Problems with umask on Snort 3

Hello,

I am trying to get the umask option (-m) working with snort 3, and i'm not sure what is going wrong.  I'm trying to 
have Snort generate logs that users and other can read (644), but when I use the -m option with snort, I don't get the 
results i expect.  I can only seem to affect the read and write owner portion of the permissions. For example:

-m 0x000   leads to -rw-------
-m 0x01FF leads to ----------
-m 0x00FF leads to -r--------

without using the -m flag, the default permissions are -rw-------

The command i'm running is
sudo snort -c /usr/local/etc/snort/snort.lua -r ~/pcaps/maccdc2012_00000.pcap -l /var/log/test -s 65535 -k none -q -m 
0x00FF

Version of snort:
noah@snort3:~$ snort -V
   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 250) from 2.9.11
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.0g  2 Nov 2017
           Using libpcap version 1.8.1
           Using PCRE version 8.39 2016-06-14
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.10.0
           Using Hyperscan version 5.0.0 2018-12-08
           Using LZMA version 5.2.2


I'm not sure if i'm doing something wrong, or if this is a bug.

thanks
Noah



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: