[Snort-devel] One more time, a patch to snort Version 1.9-dev (Build 126)

Phil Wood cpw at ...86...
Wed Apr 17 10:01:20 EDT 2002


Hi folks,

I'm hoping this will pass your scrutiny.

First, I would like the old -L functionality back.  However, it looks like that
is just too hard with out some give and take on both sides.  The mechanism
I choose to force my binary filename on spo_log_tcpdump.c is to use the
following syntax on the command line of snort:

  snort ... -L \!myspecialname

which means to TcpdumpInitLogFile, that I REALLY means "use myspecialname!"
with out the julian appendage.  So, for whatever reason, your stuff will
continue to work the way you appear to want it to.  And, I can just tweak
my startup scripts with the bang and we can all get on with our lives.
An example of the log name in my file directory is:

  aa20020417.1018

which means alot more to me than:

  snort.log.1019060307

Not that I can't run my handy dandy `pdate` program and find out what time
it is:

  % pdate 1019060307
  Wed Apr 17 10:18:27 MDT 2002

Of course, Andrew would just figure it out in his head.

Second, I really need the -R functionality.  What's that you say?  It
allows me to insinuate a little cruft in the /var/run/snort...pid name that
means I can run more than one daemon on the same interface without 
clobbering the pid file.  This is a good idea:

Using:  snort ... -R "-$PW_PROC" ...

   # ls -l /var/run/snort*
   -rw-------    1 root     root      6 Apr 17 00:00 /var/run/snort_eth1-b2.pid
   -rw-------    1 root     root      6 Apr 17 00:00 /var/run/snort_eth2-ab.pid
   -rw-------    1 root     root      6 Apr 17 00:00 /var/run/snort_eth2-bg.pid
   -rw-------    1 root     root      6 Apr 17 00:10 /var/run/snort_eth2-by.pid

Don't you agree?

Third, I made a cosmetic change to spp_stream4.c that prints the ports
out on one line.  It just looks more professional this way:

  Stream4_reassemble config:
      Server reassembly: ACTIVE
      Client reassembly: ACTIVE
      Reassembler alerts: INACTIVE
      Ports: 21 23 25 53 80 110 111 143 513 1433 

then this-a-way:

  Stream4_reassemble config:
      Server reassembly: ACTIVE
      Client reassembly: ACTIVE
      Reassembler alerts: INACTIVE
      Ports:
  21 23 25 53 80 110 111 143 513 1433

So, give it a try, you'll like it.

Thanks,

-- 
Phil Wood, cpw at ...86...

-------------- next part --------------
diff -Naur -b snort/src/output-plugins/spo_log_tcpdump.c snort+/src/output-plugins/spo_log_tcpdump.c
--- snort/src/output-plugins/spo_log_tcpdump.c	Wed Apr 10 17:14:24 2002
+++ snort+/src/output-plugins/spo_log_tcpdump.c	Wed Apr 17 15:52:48 2002
@@ -282,9 +282,14 @@
         value = snprintf(logdir, STD_BUF-1, "%s%s.%lu", 
 			 chrootdir == NULL ? "" : chrootdir, data->filename, curr_time);
     else
+	if (data->filename[0] == '!')
+            value = snprintf(logdir, STD_BUF-1, "%s%s/%s",
+			    chrootdir == NULL ? "" : chrootdir, pv.log_dir,
+			    &data->filename[1]);
+        else
         value = snprintf(logdir, STD_BUF-1, "%s%s/%s.%lu",
-			 chrootdir == NULL ? "" : chrootdir, pv.log_dir, data->filename,
-             curr_time);
+			 chrootdir == NULL ? "" : chrootdir, pv.log_dir,
+			 data->filename, curr_time);
 
     if(value == -1)
         FatalError("ERROR: log file logging path and file name are too long, "
diff -Naur -b snort/src/preprocessors/spp_stream4.c snort+/src/preprocessors/spp_stream4.c
--- snort/src/preprocessors/spp_stream4.c	Wed Apr 17 14:02:40 2002
+++ snort+/src/preprocessors/spp_stream4.c	Wed Apr 17 14:45:38 2002
@@ -1016,7 +1016,7 @@
                 s4data.reassemble_client ? "ACTIVE": "INACTIVE");
         LogMessage("    Reassembler alerts: %s\n", 
                 s4data.reassembly_alerts ? "ACTIVE": "INACTIVE");
-        LogMessage("    Ports:\n"); 
+        LogMessage("    Ports: "); 
 
         for(i=0;i<65536;i++)
         {
diff -Naur -b snort/src/snort.c snort+/src/snort.c
--- snort/src/snort.c	Fri Apr 12 04:11:15 2002
+++ snort+/src/snort.c	Wed Apr 17 14:26:09 2002
@@ -301,7 +301,7 @@
      * all of that is done in CreatePidFile
      *
      */
-    if(pv.use_rules || pv.log_flag || pv.daemon_flag)
+    if(pv.use_rules || pv.log_flag || pv.daemon_flag || *pv.pidfile_suffix)
     {
         if(!pv.nolog_flag && 
 	   (pv.alert_mode == ALERT_FAST ||
@@ -315,7 +315,7 @@
         }
 
         /* ... then create a PID file if not reading from a file */
-        if (!pv.readmode_flag && pv.daemon_flag)
+        if (!pv.readmode_flag && (pv.daemon_flag || *pv.pidfile_suffix))
 	{
 #ifndef WIN32
             CreatePidFile(pv.interfaces[0]);
@@ -714,12 +714,13 @@
     username = NULL;
     groupname = NULL;
     chrootdir = NULL;
+    pv.pidfile_suffix[0] = 0;
 
 #ifndef WIN32
-    valid_options = "B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
-        "i:G:vV?aso6u:g:t:Uwyz";
+    valid_options = "R:B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
+        "i:G:vV?aso6u:g:t:Uwyz:";
 #else
-    valid_options = "B:fk:TXL:IOCWqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
+    valid_options = "R:B:fk:TXL:IOCWqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
         "i:G:vV?aEo6u:g:s:t:Uyzw:";
 #endif
 
@@ -1006,6 +1007,7 @@
                     pv.binLogFile = strdup(optarg);
                     pv.logbin_flag = 1;
                     pv.log_cmd_override = 1;
+                    pv.log_flag = 1;
                 }
                 else
                 {
@@ -1097,6 +1099,28 @@
 
                 break;
 
+            case 'R': /* augment pid file name CPW*/
+                if (strlen(optarg) < MAX_PIDFILE_SUFFIX && strlen(optarg) > 0)
+                {
+                    if (!strstr(optarg, "..") && !(strstr(optarg, "/")))
+                    {
+                        snprintf(pv.pidfile_suffix, MAX_PIDFILE_SUFFIX, "%s",
+                                optarg);
+                    }
+                    else
+                    {
+                        FatalError("ERROR: illegal pidfile suffix: %s\n",
+                                optarg);
+                    }
+                }
+                else
+                {
+                    FatalError("ERROR: pidfile suffix length problem: %d\n",
+                            strlen(optarg) );
+                }
+
+                break;
+
             case 's':  /* log alerts to syslog */
                 pv.syslog_flag = 1;
                 DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Logging alerts to syslog\n"););
diff -Naur -b snort/src/snort.h snort+/src/snort.h
--- snort/src/snort.h	Wed Apr 17 14:02:40 2002
+++ snort+/src/snort.h	Wed Apr 17 14:25:55 2002
@@ -281,6 +281,8 @@
 #define RF_ANY_DP     0x10
 #define RF_ANY_FLAGS  0x20
 
+#define MAX_PIDFILE_SUFFIX 11 /* uniqueness extension to PID file, see '-R' */
+
 /*
  * you may need to ajust this on the systems which don't have standard
  * paths defined
@@ -452,6 +454,7 @@
     int include_year;
     int ghetto_msg_flag;
     ClassTypes *ct;  /* rule classification types */
+    char pidfile_suffix[MAX_PIDFILE_SUFFIX+1]; /* room for a null */
 } PV;
 
 /* struct to collect packet statistics */
diff -Naur -b snort/src/util.c snort+/src/util.c
--- snort/src/util.c	Fri Apr 12 04:11:16 2002
+++ snort+/src/util.c	Wed Apr 17 14:44:40 2002
@@ -663,7 +663,7 @@
             if(!S_ISDIR(pt.st_mode) || access(pv.pid_path, W_OK) == -1)
             {
                 LogMessage("WARNING: %s is invalid, logging Snort "
-                        "PID to log directory (%s)\n", pv.pid_path,
+                        "PID path to log directory (%s)\n", pv.pid_path,
                         pv.log_dir);
 
                 snprintf(pv.pid_path, STD_BUF, "%s/", log_dir);
@@ -671,7 +671,7 @@
         }
         else
         {
-            LogMessage("PID stat checked out ok, PID set to %s\n", _PATH_VARRUN);
+            LogMessage("PID path stat checked out ok, PID path set to %s\n", _PATH_VARRUN);
             strlcpy(pv.pid_path, _PATH_VARRUN, STD_BUF);
         }
     }
@@ -684,15 +684,17 @@
         FatalError("ERROR: CreatePidFile() failed to lookup interface or pid_path is unknown!\n");
     }
 
-    LogMessage("Writing PID file to \"%s\"\n", pv.pid_path);
-
-    snprintf(pv.pid_filename, STD_BUF,  "%s/snort_%s.pid", pv.pid_path, intf);
+    snprintf(pv.pid_filename, STD_BUF,  "%s/snort_%s%s.pid", pv.pid_path, intf,
+		    pv.pidfile_suffix);
 
     pid_file = fopen(pv.pid_filename, "w");
 
     if(pid_file)
     {
-        fprintf(pid_file, "%d\n", (int) getpid());
+	int pid = (int) getpid();
+
+        LogMessage("Writing PID \"%d\" to file \"%s\"\n", pid, pv.pid_filename);
+        fprintf(pid_file, "%d\n", pid);
         fclose(pid_file);
     }
     else


More information about the Snort-devel mailing list