[Snort-users] SIGHUP results in exit(1)

Thomas Linden scip at ...2120...
Wed May 30 15:31:13 EDT 2001

On Sun, 27 May 2001, Ralf Hildebrandt wrote:
> On Sat, May 26, 2001 at 11:55:28PM +0200, Thomas Linden wrote:
> > I sent a SIGHUP to snort and it died:
> > 
> > Received SIGHUP. Restarting
> > Restarting /usr/local/bin/snort failed
> Maybe due to /usr/local/bin/snort not existing in the chroot jail
> /var/log/snort.d ? ( /var/log/snort.d/usr/local/bin/snort )

ok, I created usr/local/bin under /var/log/snort.d and copied the snort
binary to this location.

But it still dies if I send it a SIGHUP. (With the same message as
mentioned above).

Then I researched it a little bit deeper:

[receiving SIGHUP:]
 recvfrom(3, 0x807e17a, 1564, 0, 0xbffff8ac, 0xbffff898) = ? ERESTARTSYS
 (To be restarted)
 --- SIGHUP (Hangup) ---


[now snort tries to connect to the log device:]
connect(4, {sin_family=AF_UNIX, path="      /dev/log"}, 16) = -1 EACCES
(Permission denied)


[it tries to remove a possibly existing pid file:]
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
unlink("/var/run//snort_eth0.pid")      = -1 EACCES (Permission denied)


[again, it tries to connect to syslog device]
connect(4, {sin_family=AF_UNIX, path="      /dev/log"}, 16) = -1 EACCES
(Permission denied)

.. many more of those tries ..

then, many unsuccessful tries to connect to /dev/log later, it tries
to execvp itself (as it was called by me):
execve("/usr/local/bin/snort", ["/usr/local/bin/snort", "-i", "eth0",
"-u", "1", "-t", "/var/log/snort.d", "-c", "/etc/snort.conf", "-d", "-D",
"-p", "-P", 
"4096", "-v", "-l", ...], [/* 23 vars */]) = -1 EACCES (Permission denied)


rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
munmap(0x4018e000, 4096)                = 0
munmap(0x40014000, 4096)                = 0

that's it. First, snort runs as User daemon (I used -u 1), second, and
most important, it tried to open/connect to some files _within_ the chroot
jail, i.e. /dev/log, so normally I need to have /var/log/snort.d/dev/log
over there, and /var/log/snort.d/etc/snort.conf and
/var/log/snort.d/var/run and so forth.

OK, I could create all those directories and files, it would work, but
what would then happen? snort would chroot to
/var/log/snort.d/var/log/snort.d if I send it a SIGHUP some time again!

Since I don't see a clean way to solve it, I suggest to print out a nice
message stating, that SIGHUP reveiving while running within a chroot jail
will be ignored, and not exit(1). Because normally one gets no response if
sending a SIGHUP to a process. Most programs send something to syslog but
not snort. I can only see the error message if I run it without -D. So if
I do not realize that it does not run anymore I can lose informations and
possibly someone nasty can break in and I will not realize.

kind regards, 


=> PGP key:  http://daemon.de/key.txt 
=> "Experience is what you got  when
=>  you did not get what you wanted."

More information about the Snort-users mailing list