The problem of using the user "nobody" is that if it is used for various services, and one of these is compromised it can also affect snort.
IMHO, we have two options: 1) Create a "snort" user/group and provide a package with fewer privileges by default (users can change that if they want) 2) Run snort as "nobody" and put a message in snort.install showing how to change the user/group that snort runs. I think the first option is better. -- Hugo
