What Is the root User?

The user root on the sensor is used strictly for configuration of the operating system. It is not used for daily administrative tasks. The main function root is used for is sysconfig-sensor, explained in detail later in this chapter. The root account is used for the following tasks:

• Bootstrapping the sensor by executing the sysconfig-sensor command

• For certain system level commands, such as snoop

• When installing signature updates or service packs

• When starting or stopping the IDM web services

The snoop command is a handy one to remember since you can use it to verify that the sensor can see the traffic you are interested in. snoop captures packets from the network and displays their contents to the screen. It can be saved to a file if needed. If snoop cannot see the traffic, neither can the IDS sensor monitor interface. snoop examines the raw traffic on your network and can be executed to look at any interface.

The preceding output is an example of the sensor 10.0.0.8 sending packets on UPD 45000, but no packets are received. If the two devices were communicating properly, the snoop output would look like the following:

# snoop -d spwr0 port 45000
   
Using device /dev/iprb (promiscuous mode)
   
10.0.0.4 -> sensor1         UDP D=45000 S=45000 LEN=56
   
        sensor1 -> 10.0.0.4 UDP D=45000 S=45000 LEN=56
   
172.18.124.142 -> sensor1         UDP D=45000 S=45000 LEN=56
   
        sensor1 -> 172.18.124.194 UDP D=45000 S=45000 LEN=56

Notice traffic is flowing on UDP 45000 in both directions.