Menu
▾
▴
snort-inline-users
|
From: C.G.Senthilkumar. <che...@cs...> - 2005-05-23 20:36:26
|
Hi, This is the command line I use to invoke snort_iniline on FreeBSD 4.10 with ipfw on it: /usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D Once in a while, I update the rules files. Now, I want snort_inline to read in the updated rules files, so I send it a SIGHUP signal using: sudo kill -s HUP 2381 sudo tail -n 1 /var/log/message gives: May 23 14:14:28 node1 snort_inline: Snort initialization completed successfully (pid=2381) However, I don't see snort_inline running after sending the SIGHUP. Is there a problem with using sudo and sending SIGHUP? What am I missing here? Except for restarting, other things seem to work fine. Any help will be very useful. Thanks in advance. Senthil. -- Today's fortune: Learning at some schools is like drinking from a firehose. |
|
From: C.G.Senthilkumar. <che...@cs...> - 2005-05-23 23:13:37
|
Hi, Following up on my previous e-mail. Since, SIGHUP didn't restart the snort_inline daemon cleanly, I tried running snort_inline in foreground. I was not expecting a SIGHUP to restart snort_inline, but was trying to debug. When I sent a SIGHUP, I got the following error: IpfwLoop: can't bind divert socket: Address already in use Is that any use? Any help would be very useful. Thanks in advance. Senthil. On Mon, 23 May 2005, C.G.Senthilkumar. wrote: > > Hi, > This is the command line I use to invoke snort_iniline on FreeBSD 4.10 with > ipfw on it: > /usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c > /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D > > Once in a while, I update the rules files. Now, I want snort_inline to read > in > the updated rules files, so I send it a SIGHUP signal using: > sudo kill -s HUP 2381 > > sudo tail -n 1 /var/log/message gives: > May 23 14:14:28 node1 snort_inline: Snort initialization completed > successfully > (pid=2381) > > However, I don't see snort_inline running after sending the SIGHUP. > > Is there a problem with using sudo and sending SIGHUP? What am I missing > here? > Except for restarting, other things seem to work fine. > > Any help will be very useful. > > Thanks in advance. > Senthil. > -- Today's fortune: Learning at some schools is like drinking from a firehose. |
|
From: Nick R. <ni...@ro...> - 2005-05-24 00:46:55
|
On Mon, 23 May 2005, C.G.Senthilkumar. wrote: > Hi, > > Following up on my previous e-mail. > > Since, SIGHUP didn't restart the snort_inline daemon cleanly, I tried > running snort_inline in foreground. I was not expecting a SIGHUP to > restart snort_inline, but was trying to debug. When I sent a SIGHUP, I > got the following error: > > IpfwLoop: can't bind divert socket: Address already in use This means that the DIVERT socket that snort_inline listens on is being used by something else, namely the existing snort_inline. The question is does sending a SIGHUP normally restart snort_inline? If it does, I will submit a patch. > > Is that any use? > > Any help would be very useful. > > Thanks in advance. > Senthil. > > On Mon, 23 May 2005, C.G.Senthilkumar. wrote: > >> >> Hi, >> This is the command line I use to invoke snort_iniline on FreeBSD 4.10 >> with >> ipfw on it: >> /usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c >> /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D >> >> Once in a while, I update the rules files. Now, I want snort_inline to >> read in >> the updated rules files, so I send it a SIGHUP signal using: >> sudo kill -s HUP 2381 >> >> sudo tail -n 1 /var/log/message gives: >> May 23 14:14:28 node1 snort_inline: Snort initialization completed >> successfully >> (pid=2381) >> >> However, I don't see snort_inline running after sending the SIGHUP. >> >> Is there a problem with using sudo and sending SIGHUP? What am I missing >> here? >> Except for restarting, other things seem to work fine. >> >> Any help will be very useful. >> >> Thanks in advance. >> Senthil. >> > > -- > Today's fortune: > Learning at some schools is like drinking from a firehose. > > > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Will M. <wil...@gm...> - 2005-05-24 04:27:54
|
> The question is does sending a SIGHUP normally restart > snort_inline? =20 yup Take a look at CleanExit() in snort.c, we nuke our ipq_handle with ipq_destroy_handle, not sure what the IPFW equivalent is. Regards, Will On 5/23/05, Nick Rogness <ni...@ro...> wrote: > On Mon, 23 May 2005, C.G.Senthilkumar. wrote: >=20 > > Hi, > > > > Following up on my previous e-mail. > > > > Since, SIGHUP didn't restart the snort_inline daemon cleanly, I tried > > running snort_inline in foreground. I was not expecting a SIGHUP to > > restart snort_inline, but was trying to debug. When I sent a SIGHUP, I > > got the following error: > > > > IpfwLoop: can't bind divert socket: Address already in use >=20 > This means that the DIVERT socket that snort_inline listens on is > being used by something else, namely the existing snort_inline. >=20 > The question is does sending a SIGHUP normally restart > snort_inline? If it does, I will submit a patch. >=20 > > > > Is that any use? > > > > Any help would be very useful. > > > > Thanks in advance. > > Senthil. > > > > On Mon, 23 May 2005, C.G.Senthilkumar. wrote: > > > >> > >> Hi, > >> This is the command line I use to invoke snort_iniline on FreeBSD 4.10 > >> with > >> ipfw on it: > >> /usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c > >> /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D > >> > >> Once in a while, I update the rules files. Now, I want snort_inline to > >> read in > >> the updated rules files, so I send it a SIGHUP signal using: > >> sudo kill -s HUP 2381 > >> > >> sudo tail -n 1 /var/log/message gives: > >> May 23 14:14:28 node1 snort_inline: Snort initialization completed > >> successfully > >> (pid=3D2381) > >> > >> However, I don't see snort_inline running after sending the SIGHUP. > >> > >> Is there a problem with using sudo and sending SIGHUP? What am I missi= ng > >> here? > >> Except for restarting, other things seem to work fine. > >> > >> Any help will be very useful. > >> > >> Thanks in advance. > >> Senthil. > >> > > > > -- > > Today's fortune: > > Learning at some schools is like drinking from a firehose. > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by Oracle Space Sweepstakes > > Want to be the first software developer in space? > > Enter now for the Oracle Space Sweepstakes! > > http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > >=20 > Nick Rogness <ni...@ro...> > - > How many people here have telekenetic powers? Raise my hand. > -Emo Philips >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: C.G.Senthilkumar. <che...@cs...> - 2005-05-24 05:20:29
|
On Mon, 23 May 2005, Will Metcalf wrote:
>> The question is does sending a SIGHUP normally restart
>> snort_inline?
>
> yup
That's encouraging. Waiting for the patch now.
Thanks in advance.
Senthil.
--
Today's fortune:
One cannot make an omelette without breaking eggs -- but it is amazing
how many eggs one can break without making a decent omelette.
-- Professor Charles P. Issawi
|
|
From: Nick R. <ni...@ro...> - 2005-05-24 06:05:23
|
On Mon, 23 May 2005, Will Metcalf wrote: >> The question is does sending a SIGHUP normally restart >> snort_inline? > > yup > > Take a look at CleanExit() in snort.c, we nuke our ipq_handle with > ipq_destroy_handle, not sure what the IPFW equivalent is. Just closing the socket(). I'll work on that a bit and patch against 2.3.0-RC1. Also, I submitted snort_inline into the main FreeBSD ports tree. Just waiting for approval. Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Nick R. <ni...@ro...> - 2005-05-24 07:09:28
|
On Mon, 23 May 2005, Will Metcalf wrote: >> The question is does sending a SIGHUP normally restart >> snort_inline? > > yup > > Take a look at CleanExit() in snort.c, we nuke our ipq_handle with > ipq_destroy_handle, not sure what the IPFW equivalent is. It doesn't appear that you are destroying the ipq handle when a SIGHUP is received (via Restart()). It looks only like it is referenced inside of CleanExit(), which is not called during a SIGHUP. I don't know if destroying the ipq handle is necessary during a SIGHUP or not, but I added your destroy code inside of Restart just as it is in CleanExit(). Attached a 3 diff files to be patched against 2.3.0-RC1. This includes the ipq_destroy stuff added in Restart(). If that isn't necessary, I can take it out and resubmit the patch. Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Will M. <wil...@gm...> - 2005-05-24 13:29:49
|
Nick, Oops, it was late, I missed the HUP part of that. Yeah, we need ipq_destroy_handle in Restart() as well, so thanks. Regards, Will On 5/24/05, Nick Rogness <ni...@ro...> wrote: > On Mon, 23 May 2005, Will Metcalf wrote: >=20 > >> The question is does sending a SIGHUP normally restart > >> snort_inline? > > > > yup > > > > Take a look at CleanExit() in snort.c, we nuke our ipq_handle with > > ipq_destroy_handle, not sure what the IPFW equivalent is. >=20 > It doesn't appear that you are destroying the ipq handle when a > SIGHUP is received (via Restart()). It looks only like it is > referenced inside of CleanExit(), which is not called during a > SIGHUP. I don't know if destroying the ipq handle is necessary > during a SIGHUP or not, but I added your destroy code inside of > Restart just as it is in CleanExit(). >=20 > Attached a 3 diff files to be patched against 2.3.0-RC1. This > includes the ipq_destroy stuff added in Restart(). If that isn't > necessary, I can take it out and resubmit the patch. >=20 > Nick Rogness <ni...@ro...> > - > How many people here have telekenetic powers? Raise my hand. > -Emo Philips >=20 >=20 > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X