[Snort-users] Wrong pid Saved on OpenBSD?

Martin Roesch roesch at ...421...
Wed Jan 3 23:24:40 EST 2001


Yep, that's broken alright.  I'm kind of suprised that nobody else has
spotted this one in the past.  Looks like we can patch this one before
shipping 1.7.

     -Marty

> "Hammerle, Tye F." wrote:
> 
> I don't look at those very often but checking over two of my boxes I
> see that;
> 
> I see the same behavior with 1.7b8 on OpenBSD 2.8 x386.
> 
> 'ps ax' PID = 5466
> /var/run/snort_rl0.PID = 3046
> 
> I see the same behavior with 1.7b8 on OpenBSD 2.6 x386.
> 
> 'ps ax' PID = 28256
> /var/run/snort_xl0.PID = 20306
> 
> Tye
> 
> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...421...]
> Sent: Wednesday, January 03, 2001 6:38 PM
> To: cjclark at ...485...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Wrong pid Saved on OpenBSD?
> 
> Sounds like it is recording the wrong PID number when it forks when
> you
> put it into daemon mode.  I'll see if we can fix it ASAP....
> 
>      -Marty
> 
> "Crist J. Clark" wrote:
> >
> > I have noticed that when I run Snort 1.6.3p2 in daemon mode on my
> > OpenBSD 2.8 box, it seems to be getting the PID wrong. That is, the
> > file that it writes, snort_xl0.pid, in my case, contains the wrong
> > PID. The PID in the file does not correspond to any existing
> > process.
> >
> > Without taking the half-hour required to figure this out from the
> > code, I thought that I would ask if this was a known issue or if
> > something was amiss with my setup.
> >
> > Just to show exactly what I am doing,
> >
> >   # snort -Dqd -h aaa.bbb.ccc.ddd/ee -l log/net_aaa -c net_aaa.snort
> net aaa.bbb.ccc.ddd/ee
> >
> > The resulting PID in the ps(1) output does not match the contents of
> 
> > snort_xl0.pid. Due to OpenBSD's "randomization" of PIDs, there is no
> 
> > obvious correlation between the two values other than the fact they
> > are never the same.
> > --
> > Crist J. Clark                           cjclark at ...485...
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list