[Snort-devel] [roesch at ...48...: Re: [Snort-admin] defrag problem fixed]

Fyodor fygrave at ...1...
Sun Nov 19 14:16:28 EST 2000

going back through 'brushup list' :-)

From: Martin Roesch <roesch at ...48...>

> >
> > * fix daemon mode on Linux

hmm.. I am unable to repeat this problem on following system:
[root at ...124... ]# uname -a
Linux box.notlsd.net 2.2.16 #1 SMP Mon Jul 3 14:20:42 ICT 2000 i686 unknown


> > * fix packet file readback on linux

this problem is more or less libpcap specific, no? i.g. if you link
snort with old libpcap, but try to use tools linked with redhat shipped
(read 'broken') libpcap, you run into trouble.

> > * look into potential PID file naming issues

?? any followup?

>   * fix chroot relative path names

I think it's fixed more or less. Some plugins may have slipped through my eyes though
but I fixed it everywhere I could see. From now (on? :)) all logfile names should
be relevant to chroot if chroot is used. If initialisation is done
after chroot took place, no changes in code need. if initialisation
is done before chroot (i.g. in SetupPlugin function(s)) then following construction
is suggested:

         snprintf(filename, BUFLEN, "%s%s",chrootdir == NULL ?
	                     "": chrootdir, realname);
or something. I suspect there would be no harm to use it after chroot is done,
I modified the code so chrootdir is reset back to NULL after chrooting has been performed.

> We need to tweak the stream reassembler to use the session window size instead
> of just allocating a 64k data buffer to each side of a connection, this is
> going to turn Snort from a lightweight IDS to a heavyweight one.  (See
> yesterday's "100MB memory leak" thread for proof...)

yep. have seen another post on this topic today. Looks like a pointer gets
some random value (non-null though) which causes coredump. Needs further investigation.

> I've had requests for a few more link layer protocols, CSLIP and ATM.  I think
> these can wait until after 1.7.  

CSLIP can do, but anyone has access to ATM hardware? Dragos? :)

> The daemon mode issues still seem like they might be a problem on Linux.

Setting device into promisc. mode happens after child process has been forked, I don't think
it's fork which drops promisc. mode. Anything else? I tried to repeat this problem on
two linux systems I have access to, R.H. 6.1 and .6.2, neither of them showed up the problem.
Anyone else is able to reproduce the problem?

> the beta out this week.

probably a bit of delay with it ;-P

Martin Roesch
roesch at ...48...
Snort-admin mailing list
Snort-admin at lists.sourceforge.net

----- End forwarded message -----

PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-devel mailing list