Re: snort -Q 2.8.5.1 SIGHUP config reload feature

[Todd Wease <twease () sourcefire com>]

On 11/19/2009 07:08 AM, Kayvan Javid wrote:
> I am running two snort processes, one in inline mode using ipqueue (for
> ips) the other listening on a nic in promiscuous mode (for ids).
>
> Sending a SIGHUP to the ids process results in a config reload no
> problem at all, starting and ending with the following log messages:
>
> LogMessage("        --== Reloading Snort ==--\n");
> <reload config output here>
> [ LowMem Search-Method Memory Used : 24.964 KBytes ]
> LogMessage("        --== Reload Complete ==--\n");
>
> The problem is when sending a SIGHUP to the snort process running in
> inline mode.  The log starts:
>
> LogMessage("        --== Reloading Snort ==--\n");
>
> Gets down to:
> [ LowMem Search-Method Memory Used : 24.964 KBytes ]
>
> Then sits there, doing nothing, and never completes the config reload,
> any subsequent SIGHUP signals are just ignored.
>
> After debugging I see it is getting caught in snort.c at:
>
> static void * ReloadConfigThread(void *data)
> {
> --snip
>       while (!snort_swapped&&  !snort_exiting)
>               sleep(1);
> --snip
>
> The obvious problem is the flags not being set elsewhere, the
> snort_swapped flag is set at:
>
> static INLINE void CheckForReload(void)
> {
>       if (snort_reload)
>       {
>               snort_swapped = 1;
>       }
>
>
> This CheckForReload() function, which sets the flag needed to complete
> the config reload seems to be called from only two places:
>
> 1. void PcapProcessPacket(char *user, struct pcap_pkthdr * pkthdr, const
> u_char * pkt)
>
> 2. void * InterfaceThread(void *arg)
>
> Neither of these functions are called in inline mode so the config
> reload never completes.  No.1 is only when using Pcap during IDS and
> InterfaceThread is never called when inline, as per:
>
> static void SnortProcess(void)
> {
> #ifdef GIDS
>      if (ScAdapterInlineMode())
>      {
> #ifndef IPFW
>          IpqLoop();
> #else
>          IpfwLoop();
> #endif
>      }
>      else
>      {
> #endif /* GIDS */
>
>          DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Entering pcap loop\n"););
>
>          InterfaceThread(NULL);
> #ifdef GIDS
>      }
> #endif /* GIDS */
> }
>
> So..... looking in the IpqLoop now in inline.c we have, the usual signal
> check loop, but no call to CheckForReload(), which the IDS code path
> signal handling in snort.c has.
>
> Obviously adding the call to CheckForReload in the signal checking in
> inline.c resolves this. Simples.  However CheckForReload in snort.c is
> currently a static INLINE function.  Removing this allows this fix to
> work, and for snort in inline mode to complete a settings reload after a
> SIGHUP without any problem.
>
> My questions are:
>
> 1. Why is CheckForReload() a static INLINE function, does it impact
> performance that much otherwise?
>
> 2. Is my suggestion a valid fix to the problem, or am I missing
> something fundamental ?
>
> Cheers,
> Kave

Both IpqLoop and IpfwLoop call PcapProcessPacket.  The situation where 
PcapProcessPacket would not be called from these seems to be if there is 
no traffic being received.  Can you verify that traffic is being received?



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel