Snort mailing list archives
Re: HUP causes wierd msgs in snort-1.8.1-beta6
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 8 Aug 2001 09:50:57 -0700 (PDT)
On Wed, 8 Aug 2001, Jason Haar wrote:
I don't think this applies to me. I'm not running "snort -t", I'm running: chroot dir /usr/sbin/snort -u snort .....
Gotcha! But--It does get you. :) In /* $Id: snort.c,v 1.106 2001/08/07 11:46:10 fygrave Exp $ */ (latest CVS) you have the following: 2089 /* 2090 * 2091 * exit_or_exec() 2092 * Arguments: status, signal received. 2093 * 2094 * This function performs exec on SIGHUP signal and exit otherwise 2095 * 2096 */ 2097 void exit_or_exec(int stat, int sig) 2098 { 2099 /* make sure everything that needs to go to the screen gets there */ 2100 fflush(stdout); 2101 2102 if(sig != SIGHUP) 2103 { 2104 if(!pv.test_mode_flag) 2105 { 2106 LogMessage("Snort received signal %d, exiting\n", sig); 2107 } 2108 2109 exit(stat); 2110 } 2111 else 2112 { 2113 LogMessage("Received SIGHUP. Restarting"); 2114 #ifdef PARANOID 2115 execv(progname, progargs); 2116 #else 2117 execvp(progname, progargs); 2118 #endif 2119 LogMessage("Restarting %s failed", progname); 2120 exit(1); 2121 } 2122 } 2123 In line 2115: When it get's HUP'ed, it executes a execv(2) or a execvp(2). That basically 'restarts' snort from scratch. Chroot works as if the directory you specify becomes / and not /foo. From the chroot(1m) man page: [...snip...] DESCRIPTION The chroot utility causes command to be executed relative to newroot. The meaning of any initial slashes (|) in the path names is changed to newroot for command and any of its child processes. Upon execution, the initial working directory is newroot. [...snip...]
i.e. *I* set up the jail - not snort. So snort should be self-contained. HUP should work as normal.
Snort is self contained, it's the way that chroot + execv(p) works.
On our DMZ hosts, I make a habit of "manually" chroot'ing any network app I can - HUP works as expected on squid,sockd,apache and mysql, so I can't understand why snort has difficulties.
Right. Other apps don't use the execv(p) function as snort does. It's not really a 'snort problem' it's more of a A + B issue. :-/ Sorry to be the bearer of bad news, but I've been down this path before. It just broke my little mind! Thankfully Dragos, Fydor and Mary pointed me at the right man pages. ;-) Best solution: Start a new copy, sleep for 60 seconds then kill the old copy. That will give you a bit of overlap, but not be out for any amount of time. Not elegant, but it works. If I _could_ code my way out of a wet paper bag, I'd try to fix it in some manner..... :-) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 08)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Jason Haar (Aug 07)
- Re: HUP causes wierd msgs in snort-1.8.1-beta6 Erek Adams (Aug 07)