Re: snort3-261: snort can not stop on QUIT and TERM in NFQ mode.

["Michael Altizer \(mialtize\) via Snort-devel" <snort-devel () lists snort org>]

Try with the latest from libdaq master branch.  (See: https://seclists.org/snort/2019/q4/78)

On 10/16/19 3:57 PM, Meridoff via Snort-devel wrote:
I've debugged some and found that on QUIT/TERM/INT analyzer  can't stop for some reason: ACStop didint' called though 
it must be and analyzer.exit_requested is not settled.

This happenes because of nl_socket_recv() ( called in function nfq_daq_msg_receive() ), after snort receiving signal 
TERM/QUIT or INT, always returns EAGAIN or EWOULDBLOCK and never EINTR, so even when nfqc->interrupted=true this 
doesn't result to returning status DAQ_RSTAT_INTERRUPTED and always return status DAQ_RSTAT_TIMEOUT (because i think 
idx=0 always in this function, but i've not debugged this yet, so recvmsg is may be always BLOCKING).
In any case : in afpacket mode we receive DAQ_RSTAT_IUNTERRUPTED from DAQ, and in nfq we don't receive this status and 
that is why snort can't stop in NFQ mode.

As workaround such code in nfq_daq_msg_receive() can solve problem and snort can stop but may be it is not good 
solution:

ssize_t ret = nl_socket_recv(nfqc, desc->nlmsg_buf, nfqc->nlmsg_bufsize, idx == 0);
if (ret < 0)
{
        if (errno == ENOBUFS)
       {
               nfqc->stats.hw_packets_dropped++;
               continue;
         }     else if (nfqc->interrupted)
         {
                   *rstat = DAQ_RSTAT_INTERRUPTED;
                    nfqc->interrupted = false;
       } else if (errno == EAGAIN || errno == EWOULDBLOCK)
                        *rstat = (idx == 0) ? DAQ_RSTAT_TIMEOUT : DAQ_RSTAT_WOULD_BLOCK;
        else if (errno == EINTR)
         {
                  if (!nfqc->interrupted)
                        continue;

        }


чт, 10 окт. 2019 г. в 19:44, Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>:
Hello, i run snort3 build 261 with nfq

Config concerning to daq :
ips.mode="tap"
daq = { module_dirs = { "/usr/lib/daq" } }
daq.inputs = {'1'}   --my queue ID
daq.modules = { { name = 'nfq', mode='passive' } }

When I try to kill snort I see in log:

Oct  9 11:36:32 xxx snort[25483]: --------------------------------------------------
Oct  9 11:36:32 xxx snort[25483]: nfq DAQ configured to passive.
Oct  9 11:36:32 xxx snort[25483]: initializing daemon mode
Oct  9 11:36:32 xxx snort[25483]: child process is 25484
Oct  9 11:36:32 xxx snort[25484]: Commencing packet processing
Oct  9 11:36:32 xxx snort[25484]: ++ [0] 1
Oct  9 11:36:32 xxx snort[25484]: Writing PID "25484" to file "/var/run/snort.pid"
Oct  9 11:36:32 xxx snort[25484]: Chroot directory = /
Oct  9 11:38:02 xxx snort[25484]: ** caught term signal
Oct  9 11:38:02 xxx snort[25484]: == stopping
Oct  9 11:38:31 xxx snort[25484]: ** caught quit signal
Oct  9 11:38:31 xxx snort[25484]: == stopping

And process remains running..
As I know --dirty-pig mode is ON when killing by QUIT, but even this can'not help.

I even tried to not configure nfq in iptables . With iptables configured for nfq - the same situation..

Is it dungerous to use always exit_pronto = true in sources? So quick exit without cleanup can be done..

exit_pronto settled to false after some part of initialization done. May do no set it to false for avalibilty of quick 
exist ?

Thanks.






_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!