[Snort-devel] spo_unified round-up patch
eric.lauzon at ...1967...
Wed Jan 17 16:00:30 EST 2007
Good afternoon @ all,
as promised here is the spo_unified patch i was talking about
in my previous e-mail.
Before running that patch be sure that
you are using
<snip from snort.conf>
<snip from snort.conf>
if you are not using it, this this patch might not be for you.
In my previous email i stated that my patch covered the 3 unified output mode.
I am sorry to say that looking back at what we have been effectivly using i remembered
why 2 mode where not patched.
mode have been left untouched due to some backward compatibility stuff.
The main goal of this patch was to fix some race condition that would be happening
when example: stoping snort with a signal like SIGHUP to make it reload its config.
There was other context where this would happens but the issue was mostly re-occuring
each time a SIGHUP or a stop operation that generate a signal to the snort process
As mentioned in the previous e-mail one way to fix this issue was bring down the interface
for a clean exit. But i guess people running in IPS mode might not want to do that :).
To fix the problem , we use a static memory buffer wich is filled with the information,
and instead of using glibc fwrite, we use write system call. There might be some overhead
using write instead of fwrite but mainly this choice was made to bring reliability into
the loggin process, since it has been found that it was also possible to race glibc
into not writing its information to the file even if a fflush and that we where using a
static memory bucket to hold the information.
The function UnifiedLogAlert is still exposed by this issue
but i guess its a lesser issue since its a text formated file.
This patch also contain a fix for a forgoten line in the last patch i sent in
to fix the tagged packet behavior. see function RealUnifiedLogStreamAlert.
Since alert format function where not touched since under our build we do
not duplicate the information logged.
Anyone who is interested to get some speed out of the pig should by them self
modify spo_unified.c and event_wrapper.c files and comment theses line :
void UnifiedInit(u_char *args)
-----> /*AddFuncToOutputList(UnifiedLogAlert, NT_OUTPUT_ALERT, unifiedConfig);*/
u_int32_t GenerateSnortEvent(Packet *p,
-----> /*CallAlertFuncs(p, msg, NULL, &event);*/
I hope it helps some people, have a nice evening and
if by any chances there is comment or question , feel free to send them to me.
[Recherche & Développement]
Above Sécurité / Above Security
Tél : (450) 430-8166
Fax : (450) 430-1858
"Premature optimization is the root of all evil (or at least most of it) in programming."
- Donald Knuth
AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ
Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.
This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 25135 bytes
More information about the Snort-devel