[Snort-users] snort 1.87beta5 still holds some fds on HUP

Michael Scheidell scheidell at ...5171...
Tue May 28 05:36:03 EDT 2002


Thanks for finding that bpf problem on FREEBSD/*BSD where a hup would keep
the bpf's open till there were none available.

Have a similar problem.
FBSD 4.5, snort 1.8.7beta5

Checking to see if bpf's held open on hup (fixed thanks) but the bpf FILTER
file is not closed:
(killall -HUP on FBSD does a pkill snort, and sends a HUP to snort)

scanner# lsof | grep bpf
snort     13132      root    3r  VREG 116,262149         19  476837
/usr/local/share/snort/snort.bpf
snort     13132      root    4r  VCHR       23,0 0t34803126    7187
/dev/bpf0
scanner# killall -HUP snort
scanner# lsof | grep bpf
snort     13132      root    3r  VREG 116,262149         19  476837
/usr/local/share/snort/snort.bpf
snort     13132      root    4r  VREG 116,262149         19  476837
/usr/local/share/snort/snort.bpf
snort     13132      root    5r  VCHR       23,0    0t10890    7187
/dev/bpf0

snort started thus:
/usr/local/bin/snort -doDI -m 022 -z \
-F /usr/local/share/snort/snort.bpf \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...5171...
http://www.secnap.net





More information about the Snort-users mailing list