[Snort-devel] spo_unified round-up patch

Eric Lauzon eric.lauzon at ...1967...
Wed Jan 17 16:00:30 EST 2007

Good afternoon @ all,

as promised here is the spo_unified patch i was talking about
in my previous e-mail.

Before running that patch be sure that
you are using 

<snip from snort.conf>
output unified: 
<snip from snort.conf>

if you are not using it, this this patch might not be for you.

In my previous email i stated that my patch covered the 3 unified output mode.

I am sorry to say that looking back at what we have been effectivly using i remembered
why 2 mode where not patched.


mode have been left untouched due to some backward compatibility stuff.

The main goal of this patch was to fix some race condition that would be happening
when example: stoping snort with a signal like SIGHUP to make it reload its config.

There was other context where this would happens but the issue was mostly re-occuring
each time a SIGHUP or a stop operation that generate a signal to the snort process
was occuring.

As mentioned in the previous e-mail one way to fix this issue was bring down the interface
for a clean exit. But i guess people running in IPS mode might not want to do that :).

To fix the problem , we use a static memory buffer wich is filled with the information,
and instead of using glibc fwrite, we use write system call. There might be some overhead
using write instead of fwrite but mainly this choice was made to bring reliability into
the loggin process, since it has been found that it was also possible to race glibc
into not writing its information to the file even if a fflush and that we where using a 
static memory bucket to hold the information.

The function UnifiedLogAlert is still exposed by this issue 
but i guess its a lesser issue since its a text formated file.

This patch also contain a fix for a forgoten line in the last patch i sent in
to fix the tagged packet behavior. see function RealUnifiedLogStreamAlert.

Since alert format function where not touched since under our build we do 
not duplicate the information logged. 

Anyone who is interested to get some speed out of the pig should by them self 
modify spo_unified.c and event_wrapper.c files and comment theses line :  

In function: 
void UnifiedInit(u_char *args)
-----> /*AddFuncToOutputList(UnifiedLogAlert, NT_OUTPUT_ALERT, unifiedConfig);*/


In function:
u_int32_t GenerateSnortEvent(Packet *p,
                            u_int32_t gen_id,
                            u_int32_t sig_id,
                            u_int32_t sig_rev,
                            u_int32_t classification,
                            u_int32_t priority,
                            char *msg)
----->    /*CallAlertFuncs(p, msg, NULL, &event);*/

I hope it helps some people, have a nice evening and 
if by any chances there is comment or question , feel free to send them to me.

Eric Lauzon
[Recherche & Développement]
Above Sécurité / Above Security
Tél  : (450) 430-8166
Fax : (450) 430-1858 
"Premature optimization is the root of all evil (or at least most of it) in programming."
- Donald Knuth


Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.


This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spo_unified.patch
Type: application/octet-stream
Size: 25135 bytes
Desc: spo_unified.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070117/6320d507/attachment.obj>

More information about the Snort-devel mailing list