Snort mailing list archives
-T option useless - good init script anyone?
From: Andreas Hasenack <andreas () conectiva com br>
Date: Wed, 9 Mar 2005 18:39:48 -0300
Currently the -T option is completely useless. In daemon mode, where it would be most useful, it gives us nothing. Instead of testing the configuration and giving an error if that's the case, it does nothing. Check this example out: # snort -A fast -b -D -d -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -T;echo $? 0 The logs: Mar 9 18:34:56 pandora snort: Writing PID "7093" to file "/var/run/snort/snort_eth0.pid" Mar 9 18:34:56 pandora snort: Parsing Rules file /etc/snort/snort.conf Mar 9 18:34:56 pandora snort: ,-----------[Flow Config]---------------------- Mar 9 18:34:56 pandora snort: | Stats Interval: 0 Mar 9 18:34:56 pandora snort: | Hash Method: 2 Mar 9 18:34:56 pandora snort: | Memcap: 10485760 Mar 9 18:34:56 pandora snort: | Rows : 4099 Mar 9 18:34:56 pandora snort: | Overhead Bytes: 16400(%0.16) Mar 9 18:34:56 pandora snort: `---------------------------------------------- Mar 9 18:34:56 pandora snort: FATAL ERROR: unknown preprocessor "andreas" <------------ So, there was a fatal error, but there was no way to tell other than looking at the logs. This makes it very difficult and unreliable to write an initialization script for snort, since there is no clean way to check if snort is running or not. Not even the PID can be used, as it is written before entering daemon mode and loading the rules. Either snort should not daemonize until it checked everything is fine or there should be some other way to verify things. Perhaps moving the pid file creation all the way to the end, just before the "Snort initialization completed successfully" message? Then the init script could check for the pid file and decide whether snort started or not. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- -T option useless - good init script anyone? Andreas Hasenack (Mar 09)
- Re: -T option useless - good init script anyone? Jason Haar (Mar 09)
- Re: -T option useless - good init script anyone? Alejandro Flores (Mar 09)
- Re: -T option useless - good init script anyone? Andreas Hasenack (Mar 09)