[Snort-devel] alerts file newsyslog rotation with non-root user

Soner Tari list at ...2932...
Sat Dec 22 07:47:17 EST 2007


I am running snort 2.8.0.1 on OpenBSD 4.2. I have the following line in
newsyslog.conf:

/var/snort/log/alert 600 99 10000 * Z "/bin/kill -HUP \
                          $(/bin/cat /var/run/snort_*.pid)"

Since snort is running with user:group _snort:_snort, log rotation would
not work with alerts file. So I applied the following diff of mine:

--- src/snort.c.orig	Fri Dec 21 00:32:45 2007
+++ src/snort.c	Fri Dec 21 00:38:13 2007
@@ -3954,6 +3954,8 @@ static void SigHupHandler(int signal)
 void SigCantHupHandler(int signal)
 {
     LogMessage("Reload via Signal HUP does not work if you aren't root
or are chroot'ed\n");
+    LogMessage("Reopening alerts file after newsyslog rotation");
+    AlertFullInit(NULL);
 }
 
 #ifdef TIMESTATS

Thanks to this diff, now I am able to rotate alerts file successfully.
Everything seems fine in my case, because I use full alerts.

But I am not sure if this is the best and general solution to this
issue, or if there are hidden problems this diff introduces (I haven't
seen any yet during its operation).

I would appreciate if snort developers could comment on this diff, and,
if possible, apply this diff or a better solution to the next releases.





More information about the Snort-devel mailing list