Snort mailing list archives

Re: Snort Command/Control architecture when running as a deamon

From: Robert Ellis via Snort-devel <snort-devel () lists snort org>
Date: Thu, 7 Jan 2021 00:33:03 +0000

Quite possibly.

I have discovered that the command control idea seems to be specific to
previous versions of Snort.

Also - taking Carl Waxmans fbstreamer.cc as inspiration I think I can
design some code that would retrieve the latest time stamp written by
Snort’s performance monitor, which conceptually may be a perfect fit for my
needs.

However it isn’t clear to me that the performance monitoring code is
intended to run 24/7 in live environments, so I still have some research to
do

If I ever realise some working code I’ll happily share it. That said I’m
c#/.net core by trade, rather than c++, so no one need hold their breath.

Thanks for checking in on this. Depending upon how reliable Snort++
actually is, your own idea may be as good as any, although ultimately I’d
like to find a solution that can interoperate with eg. Aws load balancer
type health checks.

Thanks again.

R

On Mon, 4 Jan 2021 at 14:36, Noah Dietrich <noah_dietrich () 86penny org>
wrote:

would it be easier to configure the systemd service to restart snort if
the service failed?  adding something like:

[Service]
Restart=on-failure
RestartSec=5s


to the Snort3 unit file?

On Mon, Jan 4, 2021 at 2:30 PM Robert Ellis via Snort-devel <
snort-devel () lists snort org> wrote:

Hello & Happy New Year.

Presuming a deployment of Snort 3 on Ubuntu with Snort configured to run
as a deamon and configured 'in-line' (i.e. to operate as a IPS and drop bad
connections/packet streams)

Let us say I wanted to develop a new "Snort Health Check" deamon to
continuously monitor the health of the Snort deamon

In the Snort manual I have found this:

1.10 Control Socket

Snort can be configured to provide a Unix socket that can be used to
issue commands to the running process. You must build snort with the
-enable-control-socket option. The control socket functionality is
supported on Linux only.
Snort can be configured to use control socket using the command line
argument -cs-dir <path> and snort config option cs_dir as follows:
snort --cs-dir <path>
config cs_dir:<path>
<path> specifies the directory for snort to create the socket. If
relative path is used, the path is relative to pid path specified. If there
is no pid path specified, it is relative to current working directory.
A command snort_control is made and installed along with snort in the
same bin directory when configured with the -enable-control-socket
 option.


This control socket looks like it *may *be the ideal way to query the
Snort daemon to determine:
1) that the Snort deamon is 'alive' in the most basic sense (i.e. it has
been launched)
2) that the Snort deamon is operational in a more specific and meaningful
sense (e.g. the Snort deamon process is responsive to a command and the
response is sane/consistent)

Question 1: is that right? Or is there a
better/more-appropriate alternative for programatically querying the health
of a running Snort deamon?

Question 2: if the above does indeed seem a reasonable approach, then is
there a particular command that would be a logical choice to issue for the
purpose of a routine health check?

In the Manual at Section 1.7.1 there is an illustration of Output metrics
but I understand these are outputted only when Snort terminates:

===============================================================================
Run time for packet processing was 175.856509 seconds
Snort processed 3716022 packets.
Snort ran for 0 days 0 hours 2 minutes 55 seconds
   Pkts/min:      1858011
   Pkts/sec:        21234


===============================================================================

If there were a command that facilitated the output of one or more of
these metrics in real-time, it might be ideal for health-checking purposes,
but I have been unable to find anything documented that looks like the
right fit.

Any ideas or pointers would be gratefully received. (I intend to take a
closer look at the Snort++ source code shortly, too; any pointers to the
relevant sections would also be appreciated).

Many thanks

Robert



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort Command/Control architecture when running as a deamon Robert Ellis via Snort-devel (Jan 04)
- Re: Snort Command/Control architecture when running as a deamon Noah Dietrich (Jan 04)
  - Re: Snort Command/Control architecture when running as a deamon Robert Ellis via Snort-devel (Jan 06)
    - Re: Snort Command/Control architecture when running as a deamon Nihal Desai (nihdesai) via Snort-devel (Jan 08)
    - Re: Snort Command/Control architecture when running as a deamon Noah Dietrich (Jan 08)