Snort mailing list archives
Re: HUP causes wierd msgs in snort-1.8.1-beta6
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 7 Aug 2001 14:56:22 -0700 (PDT)
On Wed, 8 Aug 2001, Jason Haar wrote: [...snip...]
When snort receives the HUP, it logs this: -*> Snort! <*- Version 1.8.1-beta6 (Build 60) By Martin Roesch (roesch () sourcefire com, www.snort.org) <bunch of binary chars follow> WARNING: _PATH_VARRUN is invalid, trying /var/log... WARNING: /var/log/ is invalid, logging Snort PID to log directory (/var/log/snort) ERROR: OpenPcap() device eth0 open: socket: Operation not permitted Fatal Error, Quitting.. Issues with HUP seem to come up a bit. Just what can be done with snort running as a non-root user? What signals work as expected?
Ok, This one is just "the way it is." :)
This is running in a chroot'ed jail, and I've made /var owned by the snort account, so I cannot understand what all those warnings are about PID entries either...
I've hit this myself, and understand your pain and confusion. Dragos has a message in the archives that explains it fairly well. Read it if you want to really understand what's going on. But the short answer is this: Due to the way the execv(2) call works, it "Restarts" snort from scratch. This has the odd side effect of making HUPS to a chrooted snort become recursive. For example, chroot to /snort. It now sees /snort as / . Now HUP snort. Snort now expects to have /snort/snort as / . In other words, you have to re-create your directories for your jail inside it. 4 HUPS and you will be in /snort/snort/snort/snort . *bleh* Just consider HUP 'kinda' broke. :) The guys are _busy_ and it's not a show stopper. I know it will get fixed as soon as the cycles are there to rework the HUP code. Besides, the only ones who hit it are folks who are chrooting and HUPing, and we're few and far between. I know Marty is glad of that! ;-) Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 08)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 07)