Menu
▾
▴
Re: [Snort-inline-users] SIGHUP patch for snort_inline not always reliable
|
From: Victor J. <vi...@nk...> - 2005-10-25 14:56:18
|
Adrian Soogemackelyk wrote: > I recently patched my snort_inline 2.3.0 with the patch regarding a > SIGHUP-able snort_line supplied in this mailing list from a few months > back. The patch applied cleanly. I can sighup snort_inline, and it > reloads a new ruleset. I wanted to make sure that the functionality was > reliable before I put my snort_inline box inline, seeing that I want to > write a utility that will update the snort rules regularly and sighup > snort_line to reread the rulesets (keeping the same pid around is > helpful in this case). > > I put my Celeron 2.4 Ghz Snort IPS box with snort_inline under heavy > load (blasted it with iperf and ping floods), and ran a bash script that > would send a SIGHUP to snort_inline once every five seconds, The script > would also check to see if the pid changed or disappeared. Within ten > minutes every time, snort_inline dies miserably or is in memory (state > 'S'), but does not pass traffic. I don't know why the sighup isn't > always reliable. Any ideas why? It looks like when a SIGHUP is received, the function SigHupHandler() is called. That function in turn calls Restart(). From what i can see nothing will prevent the system from running Restart() again before the previous run is done. This means we can have multiple Restarts running at the same time which will not work... I'll look into this... Regards, Victor |
