[Snort-devel] Snort 2.4.3 perfmonitor not finishing log entries properly

Eric Lauzon eric.lauzon at ...1967...
Fri Mar 3 09:06:02 EST 2006

One other way which is mabey not nice to stop snort but work well
is to 

ifconfig <monitored interface> down

pcap_loop will fail thus clean_exit without issues.

have a nice week-end

PS: might not be a good way to clean_stop snort if your running it in
IPS mode :P

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Steven Sturges
> Sent: 3 mars 2006 11:29
> To: Alex Butcher
> Cc: Snort Dev
> Subject: Re: [Snort-devel] Snort 2.4.3 perfmonitor not 
> finishing log entries properly
> This relates to the issue that the signal handlers were 
> causing snort to exit immediately.  Assuming the signal isn't 
> a SEGV in writing the data, that is easily addressed (will be 
> in the next release of snort).
> If you kill -9 the snort process, all bets are off.  :)
> Cheers
> -steve
> Alex Butcher wrote:
> > Hi -
> > 
> > Sometimes, the perfmonitor pre-processor in 2.4.3 doesn't 
> finish its 
> > log entries properly (presumably when snort gets killed or dies), 
> > leading to lines with the wrong number of fields. Couldn't snort do 
> > some signal trapping and make sure it finishes log entries 
> before it dies?
> > 
> > Cheers,
> > Alex.
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking 
> scripting language that extends applications into web and 
> mobile media. Attend the live webcast and join the prime 
> developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


Le present message est a l'usage exclusif du ou des destinataires mentionnes ci-dessus. Son contenu est confidentiel et peut etre assujetti au secret professionnel. Si vous avez recu le present message par erreur, veuillez nous en aviser immediatement et le detruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.


This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.

More information about the Snort-devel mailing list