Menu
▾
▴
Re: [Snort-inline-users] no kill with ctrl+c
|
From: David G. <gu...@in...> - 2007-04-13 06:50:18
|
The patch seems to work very well indeed, I now can end snort_inline and get my nifty statistics :) thanks! /David Gunnarsson Victor Julien wrote: > Okay after some testing I noticed the same thing, signals seem to be > ignored by nfq enabled Snort_inline. Please try the attached patch to > see if it works well for you. On my system it seems to work fine :-) > > Let me know! > > Cheers, > Victor > > Victor Julien wrote: >> Hi David, >> >> David Gunnarsson wrote: >> >>> I have a minor issue with snort_inline 2.6.1.2. >>> >>> It is when i try to stop it with ctrl+c, nothing happens! >>> It seems to be only when using from queues (with nf_queue) and not >>> when i try with pcap. >>> It does not seem to matter if snort_inline has recieved any traffic >>> or not. >>> >> Like we discussed in IRC, I think the issue here is specific to >> nfqueue. Snort_inline evaluates a signal only when the 'packet read' >> function returns. In case of ip_queue I have added a timeout (to >> ipq_read) so it returns a number of times per second iirc. For >> nfqueue we haven't done that yet, as far as I can see. The recv call >> that gets a packet from the kernel is blocking and will wait forever >> until a packet is read. Dave, do you have any idea's on how to fix >> this? As far as I know we can't add a timeout value to the recv call. >> Maybe we need to look at using something like select or poll? >> >> Cheers, >> Victor >> >> ------------------------------------------------------------------------- >> >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > ------------------------------------------------------------------------ > > Index: src/inline.c > =================================================================== > --- src/inline.c (revision 52) > +++ src/inline.c (working copy) > @@ -518,6 +518,17 @@ > nh = nfq_nfnlh(nfqh); > nl_fd = nfnl_fd(nh); > > + /* set a timeout to the socket so we can check for a signal > + * in case we don't get packets for a longer period. */ > + struct timeval tv; > + tv.tv_sec = 1; > + tv.tv_usec = 0; > + > + if ( setsockopt(nl_fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv) ) == -1) { > + printf("[%d] can't set socket timeout: %s\n",getpid(), strerror(errno)); > + exit(1); > + } > + > /* The following loop basically gets executed forever, or until > * snort blows or gets signalled to exit. As with libipq, > * netlink_queue requires that every single packet asked for > @@ -546,7 +557,11 @@ > //printf("recvd %i bytes glid = %u\n", rcvstatus, glid); > if (rcvstatus < 0) > { > - printf("[%d] packet recv contents failure\n",getpid()); > + if (errno == EINTR || errno == EWOULDBLOCK) { > + sig_check(); > + } else { > + printf("[%d] packet recv contents failure\n",getpid()); > + } > } > else > { > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
