The Problem:


We needed to set up snort to run as a Solaris 10 service in a production
environment. We set snort up to run in daemon mode under the Solaris
service model. And we quickly ran into problems. Sometimes the snort
daemon process would start running correctly, other times it would
silently fail, reporting that it had received the SIGPROF signal. It
seemed very odd that this signal should have been asserted.


The Diagnosis and Solution:


Through a combination of printf and Solaris's dtrace, it was discovered
that there is a race condition involving the fork() of the child process
in the GoDaemon() function of util.c. The timing of signals under
Solaris 10 is quite different from that of many forms of Linux. As the
code stood originally, the child process can signal the parent before it
is prepared to catch the signal. Moving the call to signal() above the
fork() solves this problem on Solaris 10.


Looking at my modifications now, the signal() call probably belongs
between the test of getppid() and the call to fork(). No harm the way it
is, but the following is probably more nearly correct:


    if(getppid() != 1)


        signal(SIGNAL_SNORT_CHILD_READY, SigChildReadyHandler);

        if (errno != 0) errno=0;

        fs = fork();


Secondary Issue:


The snort.h file defines SIGNAL_SNORT_ROTATE_STATS and
SIGNAL_SNORT_CHILD_READY as simple integer constants. This caused the
original confusion about what was happening with the failure of the
daemon initialization since signal 29 happens to be SIGPROF in Solaris
10. To avoid this confusion, I changed the value from 29 to SIGUSR2.


Solaris Services:


I have also included the two files needed to run snort as an SMF
service, the manifest app-snort.xml file and the app-snort module shell
script file. Consult Sun SMF documentation on their use.




I have included a tar file that has the changed versions of snort.c,
snort.h, and util.c, a diffs file, and the SMF files.


