Snort mailing list archives
Re: SIGHUP results in exit(1)
From: Thomas Linden <scip () daemon de>
Date: Wed, 30 May 2001 21:31:13 +0200 (CEST)
On Sun, 27 May 2001, Ralf Hildebrandt wrote:
On Sat, May 26, 2001 at 11:55:28PM +0200, Thomas Linden wrote:I sent a SIGHUP to snort and it died: Received SIGHUP. Restarting Restarting /usr/local/bin/snort failedMaybe due to /usr/local/bin/snort not existing in the chroot jail /var/log/snort.d ? ( /var/log/snort.d/usr/local/bin/snort )
ok, I created usr/local/bin under /var/log/snort.d and copied the snort binary to this location. But it still dies if I send it a SIGHUP. (With the same message as mentioned above). Then I researched it a little bit deeper: [receiving SIGHUP:] recvfrom(3, 0x807e17a, 1564, 0, 0xbffff8ac, 0xbffff898) = ? ERESTARTSYS (To be restarted) --- SIGHUP (Hangup) --- .. [now snort tries to connect to the log device:] connect(4, {sin_family=AF_UNIX, path=" /dev/log"}, 16) = -1 EACCES (Permission denied) .. [it tries to remove a possibly existing pid file:] rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 unlink("/var/run//snort_eth0.pid") = -1 EACCES (Permission denied) .. [again, it tries to connect to syslog device] connect(4, {sin_family=AF_UNIX, path=" /dev/log"}, 16) = -1 EACCES (Permission denied) .. many more of those tries .. then, many unsuccessful tries to connect to /dev/log later, it tries to execvp itself (as it was called by me): execve("/usr/local/bin/snort", ["/usr/local/bin/snort", "-i", "eth0", "-u", "1", "-t", "/var/log/snort.d", "-c", "/etc/snort.conf", "-d", "-D", "-p", "-P", "4096", "-v", "-l", ...], [/* 23 vars */]) = -1 EACCES (Permission denied) .. rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 munmap(0x4018e000, 4096) = 0 munmap(0x40014000, 4096) = 0 _exit(1) that's it. First, snort runs as User daemon (I used -u 1), second, and most important, it tried to open/connect to some files _within_ the chroot jail, i.e. /dev/log, so normally I need to have /var/log/snort.d/dev/log over there, and /var/log/snort.d/etc/snort.conf and /var/log/snort.d/var/run and so forth. OK, I could create all those directories and files, it would work, but what would then happen? snort would chroot to /var/log/snort.d/var/log/snort.d if I send it a SIGHUP some time again! Since I don't see a clean way to solve it, I suggest to print out a nice message stating, that SIGHUP reveiving while running within a chroot jail will be ignored, and not exit(1). Because normally one gets no response if sending a SIGHUP to a process. Most programs send something to syslog but not snort. I can only see the error message if I run it without -D. So if I do not realize that it does not run anymore I can lose informations and possibly someone nasty can break in and I will not realize. kind regards, Tom -- => PGP key: http://daemon.de/key.txt => "Experience is what you got when => you did not get what you wanted." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SIGHUP results in exit(1) Thomas Linden (May 26)
- Re: SIGHUP results in exit(1) Keith Woodworth (May 26)
- Re: SIGHUP results in exit(1) Thomas Linden (May 26)
- Compilation errors with mySQL Blake Frantz (Jun 14)
- Re: SIGHUP results in exit(1) Ralf Hildebrandt (May 27)
- Re: SIGHUP results in exit(1) Thomas Linden (May 30)
- Re: SIGHUP results in exit(1) Keith Woodworth (May 26)