[Snort-devel] Race condition between snort and third party log processors (mudpit, barnyard and FLoP too?)
AJ Butcher, Information Systems and Computing
Alex.Butcher at ...2437...
Thu Jun 10 08:55:28 EDT 2004
Mudpit requires the sig-msg.map, reference.config and classification.config
files to match the current set of rules in use by snort. It reads these
files once at startup, and AFAICS, when it is sent a HUP signal.
If a new set of rules is put in place for snort, and snort restarted, these
files must therefore be rebuilt. Unfortunately, if mudpit is processing a
backlog (e.g. from 10 minutes ago) and is sent the HUP signal to force a
reload, then the /new/ entries in sid-msg, reference & classification will
be applied to /old/ entries, meaning the events as logged in the event
database won't make sense any more.
It's my suggestion that to fix this, when snort calls UnifiedInitFile() in
spo_unified.c, it should also generate these files itself and with the same
numeric extension so that third-party spool processors will always be using
the appropriate definitions for the unified spool file(s) they're currently
Does this sound sane to the snort/log processor developers?
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-devel