Snort mailing list archives
Re: Something I don't understand...
From: Bob Hillegas <bobhillegas () pdq net>
Date: Tue, 28 Aug 2001 14:58:11 -0500 (CDT)
On Tue, 28 Aug 2001, John Sage wrote:
Date: Tue, 28 Aug 2001 12:24:33 -0700 From: John Sage <jsage () finchhaven com> To: Bob Hillegas <bobhillegas () pdq net> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Something I don't understand... Bob: See inline..
... snip ...
On RH7.1, I'm using ppp on-demand. When ppp is setup (using /etc/sysconfig/network-scripts/ifup-ppp) it invokes ppp-watch to monitor the ppp0 port. When it triggers, it runs /etc/ppp/ip-up which runs ifup-post. That in turn references ifup-local (if it exists). I added ifup-local to awk the ipaddress assigned by my ISP out of `/sbin/ifconfig`. This gets passed to my ipchains script. I could also pass it to my snort script, but $ppp0-ADDRESS does the same thing, so I use that, as in var HOME_NET $ppp0_ADRESS. Conversely, I use /etc/sysconfig/network-scripts/ifdown-local to issue kill -TERM snort.pid. There's some more plunbing involved, but that's the gist of it.OK: so snort *is* getting the new IP.. ..but, man snort says "..SIGHUP causes the daemon to close all open files and restart... ...this will only work if the full path name is used to invoke snort in daemon mode..."
That's why you use SIGTERM, as in: kill -TERM snort.pid If you you the deamon function call in RH7.1, it creates a file in /var/run called snort_${INTERFACE}.pid (snort_ppp0.pid in my case). That allows you to use the function killproc to issue the SIGTERM. Clean and to the point.
I dunno.. I'm not that familiar with snort in daemon mode. Anyone else? - John
-- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net> 281.546.9311 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Something I don't understand... Bob Hillegas (Aug 27)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)