[Snort-inline-users] SIGHUP patch for snort_inline not always reliable

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I recently patched my snort_inline 2.3.0 with the patch regarding a
SIGHUP-able snort_line supplied in this mailing list from a few months back=
.
The patch applied cleanly. I can sighup snort_inline, and it reloads a new
ruleset. I wanted to make sure that the functionality was reliable before I
put my snort_inline box inline, seeing that I want to write a utility that
will update the snort rules regularly and sighup snort_line to reread the
rulesets (keeping the same pid around is helpful in this case).

I put my Celeron 2.4 Ghz Snort IPS box with snort_inline under heavy load
(blasted it with iperf and ping floods), and ran a bash script that would
send a SIGHUP to snort_inline once every five seconds, The script would als=
o
check to see if the pid changed or disappeared. Within ten minutes every
time, snort_inline dies miserably or is in memory (state 'S'), but does not
pass traffic. I don't know why the sighup isn't always reliable. Any ideas
why?

-Adrian