Re: upriviileged snort user (was Re: [Snort-users] (no subject))

Hi,

> Looks like your user is not allowed to put the interface into
> promiscuous mode. Try doing this manually as root, e.g. ifconfig eth0
> promisc Then see if snort will launch as your unprivileged user. If
> so, then you need to add snort user to whatever group Suse uses for
> such privileges. Else you may also be able to do it via a login.conf
> setting.

no, this won't help. It is not a question of promiscous mode or not.
Yes, you need the promiscuous mode to sniff all traffic on the interface
but on unix no "normal" user is allowed to get the real traffic an
interface sees. So there is no other way than starting snort as user
"root". But you can use the '-u' option of snort to change the user id
after initialization has been done as user root.

But note: A SIGHUP won't be able to restart snort after this point.
Since the root privileges are dropped after initialization snort
won't be able to reopen the interface to read the traffic.

Best regards

Dirk


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users