* Dave Harrison <[EMAIL PROTECTED]> [060224 00:18]: > There doesn't seem to be much info around on how to chroot snort, and the > limited references to it that I have found, somehow don't seem to feel right. > > What I have come to is the following : > > /usr/local/bin/snort -D -c /var/snort/etc/snort/snort.conf -l \ > /var/snort/var/log/snort -t /var/snort -u _snort -g _snort > > Somehow I just don't trust this since it seems to want to read everything as a > fully relative path, and not simply relative to the chroot. > > Can anyone that runs snort (I'm using the snort package from the 3.8 ports) > confirm if this is actually correctly chrooting or if (as I fear) it's not - > nothing in the launch output specifies that a chroot has occurred.
The way it works is snort first opens the config file and promisc on the interface, then it chroots. So the config file option and the log directory do need to be the full path. Note that the config file (and rules) don't need to live in the chroot, or anything else for that matter except for the log directory. I think that breaks -HUP however, but it's safer. If possible please try or have a look at the 3.9 port as I tried to set up the user/group and chroot automatically. >From the 3.9 port: It is recommended that snort be run as an unprivileged chrooted user. An _snort user/group and log directory has been created for this purpose. You should start snort with the following options to take advantage of this: -u _snort -g _snort -t /var/snort and if you want to log: -l /var/snort/log and the PLIST: @sample /var/snort/ @owner _snort @group _snort @sample /var/snort/log/ David