'Re: [Snort-users] snort + daemontools + chroot + remote mysql'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] snort + daemontools + chroot + remote mysql
From:       Erek Adams <erek () theadamsfamily ! net>
Date:       2001-06-28 1:16:57
[Download RAW message or body]

On Wed, 27 Jun 2001, Ilmarinen wrote:

> Hi!

Hello!

> I am following the directions given in the daemontools/snort paper.
> The run script specifies some flags that are beyond my needs; I've shortened
> it to:
>
> #!/bin/sh
> ./bin/snort -c snort.conf -g snort -u snort -t /usr/snort
>
> Now, snort.conf has in it a remote database output line:
>
> output database: log, mysql, dbname=snort user=snort host=gah password=
>
> Without the -t in the run script everything runs fine. but if i put the
> -t in there it seems to ignore the output database and errors out,
> saying it can't find the right log directory (/usr/snort/var/log/snort or
> something).

I'd guess it's looking in the wrong directory I think for the config files.
One you chroot, that becomes the root or "/".  If you chroot to /usr/snort and
you have your paths listed as /var/log/snort it will there will need to be a
dir /usr/snort/var/log/snort.

> Why is this happening? Is it possible to run chrooted AND log to a
> remote database?

Yes, it's possible.  I'm doing it.  :)

Things to remember:

*  It's a pain to chroot this.  I found all sorts of odd things that snort
does that makes it tough to do.

*  I'm running on Solaris 2.7

*  I cheated.

Ok, Here's what I did:

Snort seems needs certain things to work.  It needs access to your NIC.  Most
*nixs don't allow joe user to grab the NIC and twiddle with it.  I tried to
create a user and a homedir, drop snort and it's configs there.  It hated it.
"It can't be that hard...  Bind does this just fine."  So I dug around and
found a little package that would help you "build" a jail.  Built a jail under
the snort homedir, and started it up.  It wasn't perfect but it ran.  After
many nitpicky fixes (Thanks Fydor! ;), I got it to work fairly well.

Jailing, IIRC, will be improved int v2.0.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic