Re: snort3-261: snort can not stop on QUIT and TERM in NFQ mode.

[Meridoff via Snort-devel <snort-devel () lists snort org>]

I've debugged some and found that on QUIT/TERM/INT analyzer  can't stop for
some reason: ACStop didint' called though it must be and
analyzer.exit_requested is not settled.

This happenes because of nl_socket_recv() ( called in function
nfq_daq_msg_receive()
), after snort receiving signal TERM/QUIT or INT, always returns EAGAIN or
EWOULDBLOCK and never EINTR, so even when nfqc->interrupted=true this
doesn't result to returning status DAQ_RSTAT_INTERRUPTED and always return
status DAQ_RSTAT_TIMEOUT (because i think idx=0 always in this function,
but i've not debugged this yet, so recvmsg is may be always BLOCKING).

In any case : in afpacket mode we receive DAQ_RSTAT_IUNTERRUPTED from DAQ,
and in nfq we don't receive this status and that is why snort can't stop in
NFQ mode.

As workaround such code in nfq_daq_msg_receive() can solve problem and
snort can stop but may be it is not good solution:

*ssize_t ret = nl_socket_recv(nfqc, desc->nlmsg_buf, nfqc->nlmsg_bufsize,
idx == 0);*
*if (ret < 0)*
* {*
*        if (errno == ENOBUFS)*
*       {*
*               nfqc->stats.hw_packets_dropped++;*
*               continue;*




*         }     else if (nfqc->interrupted)         {
*rstat = DAQ_RSTAT_INTERRUPTED;                     nfqc->interrupted =
false; *
*       } else if (errno == EAGAIN || errno == EWOULDBLOCK)*
*                        *rstat = (idx == 0) ? DAQ_RSTAT_TIMEOUT :
DAQ_RSTAT_WOULD_BLOCK;*
*        else if (errno == EINTR)*
*         {*
*                  if (!nfqc->interrupted)*
*                        continue;*

*        } *


чт, 10 окт. 2019 г. в 19:44, Meridoff <oagvozd () gmail com>:

> Hello, i run snort3 build 261 with nfq
>
> Config concerning to daq :
> *ips.mode="tap"*
> *daq = { module_dirs = { "/usr/lib/daq" } }*
> *daq.inputs = {'1'}   --my queue ID*
> *daq.modules = { { name = 'nfq', mode='passive' } }*
>
> When I try to kill snort I see in log:
>
> *Oct  9 11:36:32 xxx snort[25483]:
> --------------------------------------------------*
> *Oct  9 11:36:32 xxx snort[25483]: nfq DAQ configured to passive.*
> *Oct  9 11:36:32 xxx snort[25483]: initializing daemon mode*
> *Oct  9 11:36:32 xxx snort[25483]: child process is 25484*
> *Oct  9 11:36:32 xxx snort[25484]: Commencing packet processing*
> *Oct  9 11:36:32 xxx snort[25484]: ++ [0] 1*
> *Oct  9 11:36:32 xxx snort[25484]: Writing PID "25484" to file
> "/var/run/snort.pid"*
> *Oct  9 11:36:32 xxx snort[25484]: Chroot directory = /*
> *Oct  9 11:38:02 xxx snort[25484]: ** caught term signal*
> *Oct  9 11:38:02 xxx snort[25484]: == stopping*
> *Oct  9 11:38:31 xxx snort[25484]: ** caught quit signal*
> *Oct  9 11:38:31 xxx snort[25484]: == stopping*
>
> And process remains running..
> As I know* --dirty-pig* mode is ON when killing by QUIT, but even this
> can'not help.
>
> I even tried to not configure nfq in iptables . With iptables configured
> for nfq - the same situation..
>
> Is it dungerous to use *always exit_pronto = true *in sources? So quick
> exit without cleanup can be done..
>
> exit_pronto settled to false after some part of initialization done. May
> do no set it to false for avalibilty of quick exist ?
>
> Thanks.
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!