[Snort-devel] Race condition between snort and third party log processors (mudpit, barnyard and FLoP too?)

AJ Butcher, Information Systems and Computing Alex.Butcher at ...2437...
Thu Jun 10 08:55:28 EDT 2004


Hi -

Mudpit requires the sig-msg.map, reference.config and classification.config 
files to match the current set of rules in use by snort. It reads these 
files once at startup, and AFAICS, when it is sent a HUP signal.

If a new set of rules is put in place for snort, and snort restarted, these 
files must therefore be rebuilt. Unfortunately, if mudpit is processing a 
backlog (e.g. from 10 minutes ago) and is sent the HUP signal to force a 
reload, then the /new/ entries in sid-msg, reference & classification will 
be applied to /old/ entries, meaning the events as logged in the event 
database won't make sense any more.

It's my suggestion that to fix this, when snort calls UnifiedInitFile() in 
spo_unified.c, it should also generate these files itself and with the same 
numeric extension so that third-party spool processors will always be using 
the appropriate definitions for the unified spool file(s) they're currently 
processing.

Does this sound sane to the snort/log processor developers?

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-devel mailing list