Snort mailing list archives

Re: Multiple Snort Instances With Identical Interfaces In Daemon

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 07 May 2011 22:14:14 -0400

On 5/6/2011 17:49, Joel Esler wrote:

Eoin,

Yes, we are having an internal discussion about different "fix" options we have.  I'll report back when we iron it 
out.


hopefully the patch or fix will be something that can easily be back ported to 
previous versions of snort???


J

On May 6, 2011, at 4:59 PM, Eoin Miller wrote:

On 5/5/2011 10:17 PM, Eoin Miller wrote:

Something else I am noticing, if you use the --pid-path option at the
command line and then you have snort exit gracefully, it just decides to
leaves the .pid file behind without deleting it? This behavior does not
occur unless you use --pid-path when you are daemonizing.

-- Eoin

Think I figured out what is going on with this.

1) Snort fires up using --pid-path=/somedir and is being daemonized as
user daemon
2) Snort creates a pid file
3) Snort daemonizes to a less priv user
4) When snort tries to shut down now under the context of the less priv
user, it doesn't have rights to delete the pid file that was created by
root.

Looks like Snort needs to change the uid/gid ownership of the pid file
right before it daemonizes like other processes. Otherwise peoples init
scripts need to go around cleaning up after it and/or manage the
permissions of the directory that the pid file goes into. This was
discovered with 2.9.0.5.


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multiple Snort Instances With Identical Interfaces In Daemon Eoin Miller (May 05)
- Re: Multiple Snort Instances With Identical Interfaces In Daemon Martin Holste (May 05)
  - Re: Multiple Snort Instances With Identical Interfaces In Daemon Joel Esler (May 05)
    - Re: Multiple Snort Instances With Identical Interfaces In Daemon Eoin Miller (May 05)
    - Re: Multiple Snort Instances With Identical Interfaces In Daemon Joel Esler (May 05)
    - Re: Multiple Snort Instances With Identical Interfaces In Daemon Martin Holste (May 05)
    - Re: Multiple Snort Instances With Identical Interfaces In Daemon Eoin Miller (May 07)
    - Re: Multiple Snort Instances With Identical Interfaces In Daemon waldo kitty (May 06)
    - Re: Multiple Snort Instances With Identical Interfaces In Daemon Joel Esler (May 07)
    - Re: Multiple Snort Instances With Identical Interfaces In Daemon waldo kitty (May 07)