Re: [Snort-inline-users] snort_inline -u option problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Mar 12, 2004, at 1:56 AM, Pawel Czarnota wrote:

> Hey all,
> does anyone have a problem running snort_inline with -u option? We can 
> start
> snort_inline with -u USERNAME option, but when the traffic goes 
> through the
> bridge, snort_inline gives us messages for each packet and doesn't go
> anything through. Removing -u option works fine. Does anyone see 
> connection
> between this problem and the time stamp mySQL database log problem 
> (separate
> message)? Thanks

Based on my experience, you have to run snort_inline in privalleged 
mode (i.e. root).  For some reason, when ran unprivalleged, the process 
will start, but not let any packets through.  I'm assuming this has 
something to do with the fact it has to interact with individual 
packets.

To help compensate for this security issue, you can help mitigate risk 
by running snort_inline in a chroot'd environment combined with a 
kernel security patch, such as SELinux, grsecurity, or systrace.

lance