Snort mailing list archives

Snort Command/Control architecture when running as a deamon

From: Robert Ellis via Snort-devel <snort-devel () lists snort org>
Date: Sat, 2 Jan 2021 17:33:55 +0000

Hello & Happy New Year.

Presuming a deployment of Snort 3 on Ubuntu with Snort configured to run as
a deamon and configured 'in-line' (i.e. to operate as a IPS and drop bad
connections/packet streams)

Let us say I wanted to develop a new "Snort Health Check" deamon to
continuously monitor the health of the Snort deamon

In the Snort manual I have found this:

1.10 Control Socket

Snort can be configured to provide a Unix socket that can be used to issue
commands to the running process. You must build snort with the
-enable-control-socket option. The control socket functionality is
supported on Linux only.
Snort can be configured to use control socket using the command line
argument -cs-dir <path> and snort config option cs_dir as follows:
snort --cs-dir <path>
config cs_dir:<path>
<path> specifies the directory for snort to create the socket. If
relative path is used, the path is relative to pid path specified. If there
is no pid path specified, it is relative to current working directory.
A command snort_control is made and installed along with snort in the
same bin directory when configured with the -enable-control-socket option.


This control socket looks like it *may *be the ideal way to query the Snort
daemon to determine:
1) that the Snort deamon is 'alive' in the most basic sense (i.e. it has
been launched)
2) that the Snort deamon is operational in a more specific and meaningful
sense (e.g. the Snort deamon process is responsive to a command and the
response is sane/consistent)

Question 1: is that right? Or is there a
better/more-appropriate alternative for programatically querying the health
of a running Snort deamon?

Question 2: if the above does indeed seem a reasonable approach, then is
there a particular command that would be a logical choice to issue for the
purpose of a routine health check?

In the Manual at Section 1.7.1 there is an illustration of Output metrics
but I understand these are outputted only when Snort terminates:

===============================================================================
Run time for packet processing was 175.856509 seconds
Snort processed 3716022 packets.
Snort ran for 0 days 0 hours 2 minutes 55 seconds
   Pkts/min:      1858011
   Pkts/sec:        21234

===============================================================================

If there were a command that facilitated the output of one or more of these
metrics in real-time, it might be ideal for health-checking purposes, but I
have been unable to find anything documented that looks like the right fit.

Any ideas or pointers would be gratefully received. (I intend to take a
closer look at the Snort++ source code shortly, too; any pointers to the
relevant sections would also be appreciated).

Many thanks

Robert

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort Command/Control architecture when running as a deamon Robert Ellis via Snort-devel (Jan 04)
- Re: Snort Command/Control architecture when running as a deamon Noah Dietrich (Jan 04)
  - Re: Snort Command/Control architecture when running as a deamon Robert Ellis via Snort-devel (Jan 06)
    - Re: Snort Command/Control architecture when running as a deamon Nihal Desai (nihdesai) via Snort-devel (Jan 08)
    - Re: Snort Command/Control architecture when running as a deamon Noah Dietrich (Jan 08)