[Snort-devel] Re: Try This

Phil Wood cpw at ...86...
Sat Apr 6 08:54:02 EST 2002


Folks,

I've included a minor patch for the Version 1.9-dev (Build 116) of snort.
It consists of one cosmetic change to stream4's Ports list, and a new
switch 'R' to allow for multiple snort daemons running off the same
interface.  The stream4 patch is a no brainer in one file spp_stream4.c-patch.
The new switch is accomplished by patching 3 files; snort.c, snort.h and
util.c.  The 'R' takes a small arbitrary text argument which is insinuated
into the /var/run/snort_intf.pid file name like so:

  /var/run/snort_%s%s.pid ... , "intf", pv.pidfile_suffix ...

I the command line for my snort incantation includes:

   ... -R "-$PW_PROC" ...

where PW_PROC is usually some small mnemonic like 'aa'.  At this moment I'm
running a snort which generated a name in /var/run like so:

  /var/run/snort_eth0-aa.pid

I need this, as I run 2 tcpdumps and 3 snorts on the same gige interface.
(I put the same switch into tcpdump, but that's another story)

Thanks,

-- 
Phil Wood, cpw at ...86...

-- 
Phil Wood, cpw at ...86...

-------------- next part --------------
--- snort+/src/snort.c	Sat Apr  6 16:31:59 2002
+++ snort/src/snort.c	Fri Apr  5 19:24:10 2002
@@ -306,7 +306,7 @@
      * all of that is done in CreatePidFile
      *
      */
-    if(pv.use_rules || pv.log_flag || pv.daemon_flag || *pv.pidfile_suffix)
+    if(pv.use_rules || pv.log_flag || pv.daemon_flag)
     {
         if(!pv.nolog_flag && 
 	   (pv.alert_mode == ALERT_FAST ||
@@ -320,7 +320,7 @@
         }
 
         /* ... then create a PID file if not reading from a file */
-        if (!pv.readmode_flag && (pv.daemon_flag || *pv.pidfile_suffix))
+        if (!pv.readmode_flag && pv.daemon_flag)
 	    {
 #ifndef WIN32
             CreatePidFile(pv.interfaces[0]);
@@ -719,13 +719,12 @@
     username = NULL;
     groupname = NULL;
     chrootdir = NULL;
-    pv.pidfile_suffix[0] = 0;
 
 #ifndef WIN32
-    valid_options = "R:B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
+    valid_options = "B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
         "i:G:vV?aso6u:g:t:Uwyz:";
 #else
-    valid_options = "R:B:fk:TXL:IOCWqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
+    valid_options = "B:fk:TXL:IOCWqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
         "i:G:vV?aEo6u:g:s:t:Uyzw:";
 #endif
 
@@ -1099,28 +1098,6 @@
                     printf("No run mode specified, defaulting to verbose mode\n");
                     pv.verbose_flag = 1;
                     pv.data_flag = 1;
-                }
-
-                break;
-
-            case 'R': /* augment pid file name CPW*/
-                if (strlen(optarg) < MAX_PIDFILE_SUFFIX && strlen(optarg) > 0)
-                {
-                    if (!strstr(optarg, "..") && !(strstr(optarg, "/")))
-                    {
-                        snprintf(pv.pidfile_suffix, MAX_PIDFILE_SUFFIX, "%s",
-                                optarg);
-                    }
-                    else
-                    {
-                        FatalError("ERROR: illegal pidfile suffix: %s\n",
-                                optarg);
-                    }
-                }
-                else
-                {
-                    FatalError("ERROR: pidfile suffix length problem: %d\n",
-                            strlen(optarg) );
                 }
 
                 break;
-------------- next part --------------
--- snort+/src/snort.h	Sat Apr  6 15:46:28 2002
+++ snort/src/snort.h	Sat Apr  6 14:55:01 2002
@@ -281,8 +281,6 @@
 #define RF_ANY_DP     0x10
 #define RF_ANY_FLAGS  0x20
 
-#define MAX_PIDFILE_SUFFIX 11 /* uniqueness extension to PID file, see '-R' */
-
 /*
  * you may need to ajust this on the systems which don't have standard
  * paths defined
@@ -436,7 +434,6 @@
     int include_year;
     int ghetto_msg_flag;
     ClassTypes *ct;  /* rule classification types */
-    char pidfile_suffix[MAX_PIDFILE_SUFFIX+1]; /* room for a null */
 } PV;
 
 /* struct to collect packet statistics */
-------------- next part --------------
--- snort+/src/util.c	Sat Apr  6 15:43:56 2002
+++ snort/src/util.c	Fri Apr  5 19:24:10 2002
@@ -680,10 +680,9 @@
         FatalError("ERROR: CreatePidFile() failed to lookup interface or pid_path is unknown!\n");
     }
 
-    snprintf(pv.pid_filename, STD_BUF,  "%s/snort_%s%s.pid", pv.pid_path,
-		    intf, pv.pidfile_suffix);
+    LogMessage("Writing PID file to \"%s\"\n", pv.pid_path);
 
-    LogMessage("Writing PID to file \"%s\"\n", pv.pid_filename);
+    snprintf(pv.pid_filename, STD_BUF,  "%s/snort_%s.pid", pv.pid_path, intf);
 
     pid_file = fopen(pv.pid_filename, "w");
 
-------------- next part --------------
--- snort+/src/preprocessors/spp_stream4.c	Sat Apr  6 15:57:06 2002
+++ snort/src/preprocessors/spp_stream4.c	Wed Apr  3 23:15:38 2002
@@ -986,7 +986,7 @@
                 s4data.reassemble_client ? "ACTIVE": "INACTIVE");
         LogMessage("    Reassembler alerts: %s\n", 
                 s4data.reassembly_alerts ? "ACTIVE": "INACTIVE");
-        LogMessage("    Ports: "); 
+        LogMessage("    Ports:\n"); 
 
         for(i=0;i<65536;i++)
         {


More information about the Snort-devel mailing list