[Snort-users] Snort startup oddity

Avleen Vig avleen at ...396...
Thu Mar 1 18:30:10 EST 2001


Spec:
FreeBSD 4.2 Release, Snort 1.7.

I ran snort with ktrace, and found it does some thing I thought was a bit
strange.
Now, I'm no programmer so this may be nothing, but it did seem iffy!

Snort tries to open /etc/protocols :
 84084 snort    CALL  open(0x28228586,0,0x1b6)
 84084 snort    NAMI  "/etc/protocols"
 84084 snort    RET   open 3
 84084 snort    CALL  fstat(0x3,0xbfbff8ec)
 84084 snort    RET   fstat 0
 84084 snort    CALL  readlink(0x2822b554,0xbfbff8cc,0x3f)
 84084 snort    NAMI  "/etc/malloc.conf"
 84084 snort    RET   readlink -1 errno 2 No such file or directory
 84084 snort    CALL  mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
 84084 snort    RET   mmap 673464320/0x28244000
 84084 snort    CALL  break(0x807d000)
 84084 snort    RET   break 0
 84084 snort    CALL  break(0x807f000)
 84084 snort    RET   break 0
 84084 snort    CALL  read(0x3,0x807d000,0x2000)
 84084 snort    GIO   fd 3 read 5770 bytes


It the gets to line 255 of /etc/protocols and this happens:
 84084 snort    RET   read 5770/0x168a
 84084 snort    CALL  close(0x3)
 84084 snort    RET   close 0
 84084 snort    CALL  open(0x28228586,0,0x1b6)
 84084 snort    NAMI  "/etc/protocols"
 84084 snort    RET   open 3
 84084 snort    CALL  fstat(0x3,0xbfbff8ec)
 84084 snort    RET   fstat 0
 84084 snort    CALL  break(0x8081000)
 84084 snort    RET   break 0
 84084 snort    CALL  read(0x3,0x807f000,0x2000)
 84084 snort    GIO   fd 3 read 5770 bytes


and it starts to read /etc/protocols again.
I counted this up, and it does it exactly 256 times before going on to:
 84084 snort    RET   read 5770/0x168a
 84084 snort    CALL  read(0x3,0x807f000,0x2000)
 84084 snort    GIO   fd 3 read 0 bytes
       ""
 84084 snort    RET   read 0
 84084 snort    CALL  close(0x3)
 84084 snort    RET   close 0


It then continues with it's normal startup and tries to gettimeofday etc..


My question is really... is it MEANT to try open /etc/protocols 256 times?
I assume not :)

--

Avleen Vig, Systems Administrator
Email: avleen at ...396...               Mobile: (07974) 100 573

Internet Vision                                Tel: 020 7589 4500
60 Albert Court                                Fax: 020 7589 4522
Prince Consort Road                            info at ...396...
London. SW7 2BE                         http://www.ivision.co.uk/





More information about the Snort-users mailing list