[Snort-users] Redirect kill -10 output

Dirk Geschke Dirk_Geschke at ...1344...
Mon Apr 18 04:15:13 EDT 2005


Hi Alexandre,

> I'm interested in redirecting the output provided by kill -10 'pid' in a file of
> my choice.

I think you mean 

  kill -SIGUSR1 'pid'


SIGUSR1 is not equal to '10' on all systems...

> For the moment the output is in /var/log/messages, i tried several way in order
> to redirect it but nothing seems efficient.
> 
> Is there a way to do it or am i forced to parse /var/log/messages ?

All you have to do is to rewrite SigUsr1Handler in src/snort.c to print
the statistics to a file. But actually SigUsr1Handler only calls DropStats
part of src/utils.c. So you have to insert this functunality in the sighandler
to write to a file descriptor.

But much worser: You should not open and close the file in a signal handler.
So you should open it on startup of snort and close it on exit so that the
handler only has to write to the file. But then you can run into trouble
due to buffered I/O...

Maybe the best idea would be to change the log facility via openlog() and
to use syslog to separate the snort messages to a separate log file.

Best regards

Dirk





More information about the Snort-users mailing list