Snort mailing list archives
Re: SIGHUP results in exit(1)
From: Thomas Linden <scip () daemon de>
Date: Wed, 30 May 2001 21:31:13 +0200 (CEST)
On Sun, 27 May 2001, Ralf Hildebrandt wrote:
On Sat, May 26, 2001 at 11:55:28PM +0200, Thomas Linden wrote:I sent a SIGHUP to snort and it died: Received SIGHUP. Restarting Restarting /usr/local/bin/snort failedMaybe due to /usr/local/bin/snort not existing in the chroot jail /var/log/snort.d ? ( /var/log/snort.d/usr/local/bin/snort )
ok, I created usr/local/bin under /var/log/snort.d and copied the snort
binary to this location.
But it still dies if I send it a SIGHUP. (With the same message as
mentioned above).
Then I researched it a little bit deeper:
[receiving SIGHUP:]
recvfrom(3, 0x807e17a, 1564, 0, 0xbffff8ac, 0xbffff898) = ? ERESTARTSYS
(To be restarted)
--- SIGHUP (Hangup) ---
..
[now snort tries to connect to the log device:]
connect(4, {sin_family=AF_UNIX, path=" /dev/log"}, 16) = -1 EACCES
(Permission denied)
..
[it tries to remove a possibly existing pid file:]
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
unlink("/var/run//snort_eth0.pid") = -1 EACCES (Permission denied)
..
[again, it tries to connect to syslog device]
connect(4, {sin_family=AF_UNIX, path=" /dev/log"}, 16) = -1 EACCES
(Permission denied)
.. many more of those tries ..
then, many unsuccessful tries to connect to /dev/log later, it tries
to execvp itself (as it was called by me):
execve("/usr/local/bin/snort", ["/usr/local/bin/snort", "-i", "eth0",
"-u", "1", "-t", "/var/log/snort.d", "-c", "/etc/snort.conf", "-d", "-D",
"-p", "-P",
"4096", "-v", "-l", ...], [/* 23 vars */]) = -1 EACCES (Permission denied)
..
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
munmap(0x4018e000, 4096) = 0
munmap(0x40014000, 4096) = 0
_exit(1)
that's it. First, snort runs as User daemon (I used -u 1), second, and
most important, it tried to open/connect to some files _within_ the chroot
jail, i.e. /dev/log, so normally I need to have /var/log/snort.d/dev/log
over there, and /var/log/snort.d/etc/snort.conf and
/var/log/snort.d/var/run and so forth.
OK, I could create all those directories and files, it would work, but
what would then happen? snort would chroot to
/var/log/snort.d/var/log/snort.d if I send it a SIGHUP some time again!
Since I don't see a clean way to solve it, I suggest to print out a nice
message stating, that SIGHUP reveiving while running within a chroot jail
will be ignored, and not exit(1). Because normally one gets no response if
sending a SIGHUP to a process. Most programs send something to syslog but
not snort. I can only see the error message if I run it without -D. So if
I do not realize that it does not run anymore I can lose informations and
possibly someone nasty can break in and I will not realize.
kind regards,
Tom
--
=> PGP key: http://daemon.de/key.txt
=> "Experience is what you got when
=> you did not get what you wanted."
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SIGHUP results in exit(1) Thomas Linden (May 26)
- Re: SIGHUP results in exit(1) Keith Woodworth (May 26)
- Re: SIGHUP results in exit(1) Thomas Linden (May 26)
- Compilation errors with mySQL Blake Frantz (Jun 14)
- Re: SIGHUP results in exit(1) Ralf Hildebrandt (May 27)
- Re: SIGHUP results in exit(1) Thomas Linden (May 30)
- Re: SIGHUP results in exit(1) Keith Woodworth (May 26)