[Snort-devel] snort -Q 2.8.5.1 SIGHUP config reload feature

Kayvan Javid kayvan.javid at ...3040...
Thu Nov 19 07:08:22 EST 2009


I am running two snort processes, one in inline mode using ipqueue (for
ips) the other listening on a nic in promiscuous mode (for ids).

Sending a SIGHUP to the ids process results in a config reload no
problem at all, starting and ending with the following log messages:

LogMessage("        --== Reloading Snort ==--\n");
<reload config output here>
[ LowMem Search-Method Memory Used : 24.964 KBytes ]
LogMessage("        --== Reload Complete ==--\n");

The problem is when sending a SIGHUP to the snort process running in
inline mode.  The log starts:

LogMessage("        --== Reloading Snort ==--\n");

Gets down to:
[ LowMem Search-Method Memory Used : 24.964 KBytes ]

Then sits there, doing nothing, and never completes the config reload,
any subsequent SIGHUP signals are just ignored.

After debugging I see it is getting caught in snort.c at:

static void * ReloadConfigThread(void *data)
{
--snip
	while (!snort_swapped && !snort_exiting)
		sleep(1);
--snip

The obvious problem is the flags not being set elsewhere, the
snort_swapped flag is set at:

static INLINE void CheckForReload(void)
{
	if (snort_reload)
	{
		snort_swapped = 1;
	}


This CheckForReload() function, which sets the flag needed to complete
the config reload seems to be called from only two places:

1. void PcapProcessPacket(char *user, struct pcap_pkthdr * pkthdr, const
u_char * pkt)

2. void * InterfaceThread(void *arg)

Neither of these functions are called in inline mode so the config
reload never completes.  No.1 is only when using Pcap during IDS and
InterfaceThread is never called when inline, as per:

static void SnortProcess(void)
{
#ifdef GIDS
    if (ScAdapterInlineMode())
    {
#ifndef IPFW
        IpqLoop();
#else
        IpfwLoop();
#endif
    }
    else
    {
#endif /* GIDS */

        DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Entering pcap loop\n"););

        InterfaceThread(NULL);
#ifdef GIDS
    }
#endif /* GIDS */
}

So..... looking in the IpqLoop now in inline.c we have, the usual signal
check loop, but no call to CheckForReload(), which the IDS code path
signal handling in snort.c has.

Obviously adding the call to CheckForReload in the signal checking in
inline.c resolves this. Simples.  However CheckForReload in snort.c is
currently a static INLINE function.  Removing this allows this fix to
work, and for snort in inline mode to complete a settings reload after a
SIGHUP without any problem.

My questions are:

1. Why is CheckForReload() a static INLINE function, does it impact
performance that much otherwise?

2. Is my suggestion a valid fix to the problem, or am I missing
something fundamental ?

Cheers,
Kave




More information about the Snort-devel mailing list