Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » strange behaviour

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

strange behaviour


Posted by avalon on October 11, 2005 23:57:09

when snort exit it outputs the following:
database: Closing connection to database "igned/Reserved IP protocol"
or
database: Closing connection to database "sh CRC32 overflow /bin/sh"
or
database: Closing connection to database "cla^Q"
or something other weird...

I run snort in a linux chroot with non root user.
Only the portsvan log file is writable in the snort chroot.
Only null is in the dev directory.

I think that everithing else works fine. I get everithing logged...

Where is the problem. Should I post any additional information?

Posted by Joel_Esler on October 21, 2005 08:02:12

I've noticed that as well sometimes. Not sure what causes it..

Everything still works fine though..

Joel Esler
SOURCEfire

Posted by avalon on October 28, 2005 02:17:10

I've noticed that there are parts of the commands I typed on the console...
Is it possible for someone to reveal the issued commands after hacking snort?

Posted by Joel_Esler on October 28, 2005 16:30:08

Hacking Snort? You can hack Snort?

Joel Esler
SOURCEfire

Posted by avalon on November 08, 2005 22:23:59

If I could, I wouldn't ask...

But do you claim that snort is unhackable?

Posted by Joel_Esler on November 11, 2005 12:14:23

No piece of software is unhackable. That being said, we take great care and time at Sourcefire
to make sure that Snort is very carefully coded and reviewed. I think what you are trying to get
at is can someone look at your snort command line after they have hacked your box?

Joel Esler
SOURCEfire

Posted by avalon on November 14, 2005 06:24:32

I mean command lines issued before running snort.

I actually think that the problem maybe not caused by snort, because it gets access to information it should not (only if I'm right that this is command line history or other important data). Maybe OS, libs, or other thing maybe the reason.
As I mentioned I run snort in chroot with the compartment utility and not with the own snort capabilities.
I didn't mentioned that because snort needs root access to bind to the interface I first chroot it and then it changes its UID to a non privileges one. So snort maybe accesses memory not intended to be seen before it swithes to non-root uid...
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.