[Snort-devel] Solaris race condition: Diagnosis and solution

Steven Sturges steve.sturges at ...402...
Wed Dec 6 16:12:15 EST 2006


Thanks, Greg.

We'll have a look at this and see if we can update Snort
to work better on the Solaris 10 platform.

Cheers.
-steve

Greg Baran wrote:
> Hello Snort Developers:
> 
>  
> 
> The Problem:
> 
>  
> 
> We needed to set up snort to run as a Solaris 10 service in a production 
> environment. We set snort up to run in daemon mode under the Solaris 
> service model. And we quickly ran into problems. Sometimes the snort 
> daemon process would start running correctly, other times it would 
> silently fail, reporting that it had received the SIGPROF signal. It 
> seemed very odd that this signal should have been asserted.
> 
>  
> 
> The Diagnosis and Solution:
> 
>  
> 
> Through a combination of printf and Solaris’s dtrace, it was discovered 
> that there is a race condition involving the fork() of the child process 
> in the GoDaemon() function of util.c. The timing of signals under 
> Solaris 10 is quite different from that of many forms of Linux. As the 
> code stood originally, the child process can signal the parent before it 
> is prepared to catch the signal. Moving the call to signal() above the 
> fork() solves this problem on Solaris 10.
> 
>  
> 
> Looking at my modifications now, the signal() call probably belongs 
> between the test of getppid() and the call to fork(). No harm the way it 
> is, but the following is probably more nearly correct:
> 
>  
> 
>     if(getppid() != 1)
> 
>     {
> 
>         signal(SIGNAL_SNORT_CHILD_READY, SigChildReadyHandler);
> 
>         if (errno != 0) errno=0;
> 
>         fs = fork();
> 
>  
> 
> Secondary Issue:
> 
>  
> 
> The snort.h file defines SIGNAL_SNORT_ROTATE_STATS and 
> SIGNAL_SNORT_CHILD_READY as simple integer constants. This caused the 
> original confusion about what was happening with the failure of the 
> daemon initialization since signal 29 happens to be SIGPROF in Solaris 
> 10. To avoid this confusion, I changed the value from 29 to SIGUSR2.
> 
>  
> 
> Solaris Services:
> 
>  
> 
> I have also included the two files needed to run snort as an SMF 
> service, the manifest app-snort.xml file and the app-snort module shell 
> script file. Consult Sun SMF documentation on their use.
> 
>  
> 
> Included:
> 
>  
> 
> I have included a tar file that has the changed versions of snort.c, 
> snort.h, and util.c, a diffs file, and the SMF files.
> 
>  
> 
> Hoping this helps,
> 
> Greg Baran
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
> -- 
> Confidential: This email is intended only for the person or entity to 
> which it is addressed. The information contained in this email may be 
> confidential and privileged. Any retransmission, review, dissemination 
> or other use of, or taking of any action in reliance upon, this 
> information by persons or entities other than the intended recipient is 
> prohibited. If you received this email in error, please let us know by 
> reply and destroy all copies of it. Thank you.
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list