Snort mailing list archives

Re: HUP causes wierd msgs in snort-1.8.1-beta6

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 8 Aug 2001 09:50:57 -0700 (PDT)

On Wed, 8 Aug 2001, Jason Haar wrote:

I don't think this applies to me.

I'm not running "snort -t", I'm running:

chroot dir /usr/sbin/snort -u snort .....


Gotcha!  But--It does get you. :)


In /* $Id: snort.c,v 1.106 2001/08/07 11:46:10 fygrave Exp $ */ (latest CVS)
you have the following:

2089  /*
2090   *
2091   * exit_or_exec()
2092   * Arguments: status, signal received.
2093   *
2094   * This function performs exec on SIGHUP signal and exit otherwise
2095   *
2096   */
2097  void exit_or_exec(int stat, int sig)
2098  {
2099      /* make sure everything that needs to go to the screen gets there */
2100      fflush(stdout);
2101
2102      if(sig != SIGHUP)
2103      {
2104          if(!pv.test_mode_flag)
2105          {
2106              LogMessage("Snort received signal %d, exiting\n", sig);
2107          }
2108
2109          exit(stat);
2110      }
2111      else
2112      {
2113          LogMessage("Received SIGHUP. Restarting");
2114  #ifdef PARANOID
2115          execv(progname, progargs);
2116  #else
2117          execvp(progname, progargs);
2118  #endif
2119          LogMessage("Restarting %s failed", progname);
2120          exit(1);
2121      }
2122  }
2123

In line 2115:  When it get's HUP'ed, it executes a execv(2) or a execvp(2).
That basically 'restarts' snort from scratch.  Chroot works as if the
directory you specify becomes / and not /foo.  From the chroot(1m) man page:

[...snip...]
DESCRIPTION
     The chroot  utility causes  command to be executed  relative
     to   newroot.  The meaning of any initial slashes (|) in the
     path names is changed to  newroot for  command  and  any  of
     its  child  processes.  Upon  execution, the initial working
     directory is newroot.
[...snip...]

i.e. *I* set up the jail - not snort. So snort should be self-contained. HUP
should work as normal.


Snort is self contained, it's the way that chroot + execv(p) works.

On our DMZ hosts, I make a habit of "manually" chroot'ing any network app I
can - HUP works as expected on squid,sockd,apache and mysql, so I can't
understand why snort has difficulties.


Right.  Other apps don't use the execv(p) function as snort does.  It's not
really a 'snort problem' it's more of a A + B issue.  :-/

Sorry to be the bearer of bad news, but I've been down this path before.  It
just broke my little mind!  Thankfully Dragos, Fydor and Mary pointed me at
the right man pages.  ;-)

Best solution:  Start a new copy, sleep for 60 seconds then kill the old copy.
That will give you a bit of overlap, but not be out for any amount of time.
Not elegant, but it works.

If I _could_ code my way out of a wet paper bag, I'd try to fix it in some
manner.....  :-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 07)
  - Re: HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
    - Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 08)