Snort mailing list archives
Re: snort -Q 2.8.5.1 SIGHUP config reload feature
From: Todd Wease <twease () sourcefire com>
Date: Thu, 19 Nov 2009 08:02:58 -0500
On 11/19/2009 07:08 AM, Kayvan Javid wrote:
I am running two snort processes, one in inline mode using ipqueue (for ips) the other listening on a nic in promiscuous mode (for ids). Sending a SIGHUP to the ids process results in a config reload no problem at all, starting and ending with the following log messages: LogMessage(" --== Reloading Snort ==--\n"); <reload config output here> [ LowMem Search-Method Memory Used : 24.964 KBytes ] LogMessage(" --== Reload Complete ==--\n"); The problem is when sending a SIGHUP to the snort process running in inline mode. The log starts: LogMessage(" --== Reloading Snort ==--\n"); Gets down to: [ LowMem Search-Method Memory Used : 24.964 KBytes ] Then sits there, doing nothing, and never completes the config reload, any subsequent SIGHUP signals are just ignored. After debugging I see it is getting caught in snort.c at: static void * ReloadConfigThread(void *data) { --snip while (!snort_swapped&& !snort_exiting) sleep(1); --snip The obvious problem is the flags not being set elsewhere, the snort_swapped flag is set at: static INLINE void CheckForReload(void) { if (snort_reload) { snort_swapped = 1; } This CheckForReload() function, which sets the flag needed to complete the config reload seems to be called from only two places: 1. void PcapProcessPacket(char *user, struct pcap_pkthdr * pkthdr, const u_char * pkt) 2. void * InterfaceThread(void *arg) Neither of these functions are called in inline mode so the config reload never completes. No.1 is only when using Pcap during IDS and InterfaceThread is never called when inline, as per: static void SnortProcess(void) { #ifdef GIDS if (ScAdapterInlineMode()) { #ifndef IPFW IpqLoop(); #else IpfwLoop(); #endif } else { #endif /* GIDS */ DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Entering pcap loop\n");); InterfaceThread(NULL); #ifdef GIDS } #endif /* GIDS */ } So..... looking in the IpqLoop now in inline.c we have, the usual signal check loop, but no call to CheckForReload(), which the IDS code path signal handling in snort.c has. Obviously adding the call to CheckForReload in the signal checking in inline.c resolves this. Simples. However CheckForReload in snort.c is currently a static INLINE function. Removing this allows this fix to work, and for snort in inline mode to complete a settings reload after a SIGHUP without any problem. My questions are: 1. Why is CheckForReload() a static INLINE function, does it impact performance that much otherwise? 2. Is my suggestion a valid fix to the problem, or am I missing something fundamental ? Cheers, Kave
Both IpqLoop and IpfwLoop call PcapProcessPacket. The situation where PcapProcessPacket would not be called from these seems to be if there is no traffic being received. Can you verify that traffic is being received? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: snort -Q 2.8.5.1 SIGHUP config reload feature Kayvan Javid (Nov 19)
- Re: snort -Q 2.8.5.1 SIGHUP config reload feature Todd Wease (Nov 19)