[Snort-devel] spo_unified round-up patch

Steven Sturges steve.sturges at ...402...
Fri Jan 19 16:50:23 EST 2007


Hi Eric--

Thanks for the patch, we'll look at it and may try to
include it (or similar functionality for spo_unified)
in a future version of snort.

Cheers.
-steve

Eric Lauzon wrote:
> Good afternoon @ all,
> 
> as promised here is the spo_unified patch i was talking about
> in my previous e-mail.
> 
> Before running that patch be sure that
> you are using 
> 
> <snip from snort.conf>
> output unified: 
> <snip from snort.conf>
> 
> if you are not using it, this this patch might not be for you.
> 
> In my previous email i stated that my patch covered the 3 unified output mode.
> 
> I am sorry to say that looking back at what we have been effectivly using i remembered
> why 2 mode where not patched.
> 
> Mainly 
> alert_unified
> and
> log_unified
> 
> mode have been left untouched due to some backward compatibility stuff.
> 
> The main goal of this patch was to fix some race condition that would be happening
> when example: stoping snort with a signal like SIGHUP to make it reload its config.
> 
> There was other context where this would happens but the issue was mostly re-occuring
> each time a SIGHUP or a stop operation that generate a signal to the snort process
> was occuring.
> 
> As mentioned in the previous e-mail one way to fix this issue was bring down the interface
> for a clean exit. But i guess people running in IPS mode might not want to do that :).
> 
> To fix the problem , we use a static memory buffer wich is filled with the information,
> and instead of using glibc fwrite, we use write system call. There might be some overhead
> using write instead of fwrite but mainly this choice was made to bring reliability into
> the loggin process, since it has been found that it was also possible to race glibc
> into not writing its information to the file even if a fflush and that we where using a 
> static memory bucket to hold the information.
> 
> The function UnifiedLogAlert is still exposed by this issue 
> but i guess its a lesser issue since its a text formated file.
> 
> This patch also contain a fix for a forgoten line in the last patch i sent in
> to fix the tagged packet behavior. see function RealUnifiedLogStreamAlert.
> 
> Since alert format function where not touched since under our build we do 
> not duplicate the information logged. 
> 
> Anyone who is interested to get some speed out of the pig should by them self 
> modify spo_unified.c and event_wrapper.c files and comment theses line :  
> 
> snort_root/src/output_plugin/spo_unified.c: 
> In function: 
> void UnifiedInit(u_char *args)
> <snip>
> -----> /*AddFuncToOutputList(UnifiedLogAlert, NT_OUTPUT_ALERT, unifiedConfig);*/
> <snip>
> 
> 
> AND
> 
> snort_root/src/event_wrapper.c: 
> In function:
> u_int32_t GenerateSnortEvent(Packet *p,
>                             u_int32_t gen_id,
>                             u_int32_t sig_id,
>                             u_int32_t sig_rev,
>                             u_int32_t classification,
>                             u_int32_t priority,
>                             char *msg)
> 		<snip>
> ----->    /*CallAlertFuncs(p, msg, NULL, &event);*/
> 		<snip>
> 
> 
> I hope it helps some people, have a nice evening and 
> if by any chances there is comment or question , feel free to send them to me.
> 
> 
> Eric Lauzon
> [Recherche & Développement]
> Above Sécurité / Above Security
> Tél  : (450) 430-8166
> Fax : (450) 430-1858 





More information about the Snort-devel mailing list