[Snort-devel] Snort 2.4.3 perfmonitor not finishing log entries properly

Steven Sturges steve.sturges at ...402...
Thu Mar 9 06:00:06 EST 2006


Yes, sending snort a SIGTERM in the 2.4.x code base
caused Snort to exit right then and there (after
logging a few exit messages).

When the perfmon logging is interrupted by the signal,
control never returns from the sig handler.

This has been addressed in the 2.6 branch that was
announced yesterday.  It catches the SIGTERM, but does
finish processing the packet it was working on at
the time -- then exits.

Cheers.
-steve

Alex Butcher wrote:
> Steven Sturges wrote:
> 
>>This relates to the issue that the signal handlers were
>>causing snort to exit immediately.  Assuming the
>>signal isn't a SEGV in writing the data, that is
>>easily addressed (will be in the next release of snort).
>>
>>If you kill -9 the snort process, all bets are off.  :)
> 
> 
> Cheers.
> 
> I'm using the standard RH killproc() function in /etc/init.d/functions,
> without specifying a signal. Reading killproc(), this should send
> SIGTERM, sleep for 100s, then send SIGKILL if it's not already dead.
> 
> 
>>Cheers
>>-steve
> 
> 
> Cheers,
> Alex.





More information about the Snort-devel mailing list