Snort mailing list archives

Re: HUP causes wierd msgs in snort-1.8.1-beta6

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 7 Aug 2001 14:56:22 -0700 (PDT)

On Wed, 8 Aug 2001, Jason Haar wrote:

[...snip...]

When snort receives the HUP, it logs this:

-*> Snort! <*-
Version 1.8.1-beta6 (Build 60)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
<bunch of binary chars follow>

WARNING: _PATH_VARRUN is invalid, trying /var/log...
WARNING: /var/log/ is invalid, logging Snort PID to log directory
(/var/log/snort)
ERROR: OpenPcap() device eth0 open:
socket: Operation not permitted
Fatal Error, Quitting..

Issues with HUP seem to come up a bit. Just what can be done with snort
running as a non-root user? What signals work as expected?


Ok, This one is just "the way it is."  :)

This is running in a chroot'ed jail, and I've made /var owned by the snort
account, so I cannot understand what all those warnings are about PID
entries either...


I've hit this myself, and understand your pain and confusion.  Dragos has a
message in the archives that explains it fairly well.  Read it if you want to
really understand what's going on.

But the short answer is this:  Due to the way the execv(2) call works, it
"Restarts" snort from scratch.  This has the odd side effect of making HUPS to
a chrooted snort become recursive.  For example, chroot to /snort.  It now
sees /snort as / .  Now HUP snort.  Snort now expects to have /snort/snort as
/ .  In other words, you have to re-create your directories for your jail
inside it.  4 HUPS and you will be in /snort/snort/snort/snort .  *bleh*

Just consider HUP 'kinda' broke.  :)  The guys are _busy_ and it's not a show
stopper.  I know it will get fixed as soon as the cycles are there to rework
the HUP code.  Besides, the only ones who hit it are folks who are chrooting
and HUPing, and we're few and far between.  I know Marty is glad of that! ;-)

Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 07)
  - Re: HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
    - Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 08)