[Snort-devel] [ snort-Bugs-552950 ] Leaking bpf file descriptors

noreply at ...12... noreply at ...12...
Mon Jun 17 20:12:05 EDT 2002


Bugs item #552950, was opened at 2002-05-06 10:40
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=552950&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Leaking bpf file descriptors

Initial Comment:
Under older versions of openBSD 2.7 , 2.6 (only ones 
i've tested) the following code causes bpf devices to 
stay open after a kill -HUP of snort

snort.c

#ifndef HPUX
        /* kludge for Linux */
        InitializeInterfaces();
#endif /* HPUX */

Commenting out the InitializeInterfaces seems to fix 
the problem.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2002-06-12 21:35

Message:
Logged In: NO 

Oh, I neglected to mention I've used every single 1.8
version as well as the latest snort-stable snapshots on my
NetBSD 1.5.2 system and this problem has not been fixed in
any of those.  I should hope an old bug was not reintroduced
into a new version.

Am I missing something here?

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2002-06-11 09:57

Message:
Logged In: NO 

only SORTA fixed:
If you use a bpf filter (-F option) then the fd that opened the 
bpf filter stays open

Also, a bpf of not src 10.1.1.10 will prevent all tcp,icmp and 
udp alerts and logs and tcpdumps.  only alerts that show up 
are stream4.
FREEBSD 4.5, snort beta 7.


----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2002-06-11 09:30

Message:
Logged In: NO 

Twas fixed in 1.8.7 beta5 or 6

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2002-06-10 15:17

Message:
Logged In: NO 

I'm running NetBSD 1.5.2 (and above) and have the same
problem with bpf devices and kill -HUP to snort.

I have 8 bpf interfaces (bpf0-7), so I can successfully
hangup only 7 times at best.

When I make the change recommended here, commenting out
InitializeInterfaces(), snort starts up alright but within 5
seconds I get "Segmentation Fault".

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2002-05-08 14:28

Message:
Logged In: NO 

affects FREEBSD 4.5 also.
lsof  grep dev/bpf shows one bpf

HUP snort, lsoft | grep /dev/bpf shows 2, etc till you use 
them all up.



----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=552950&group_id=3357




More information about the Snort-devel mailing list