[Snort-users] -T option useless - good init script anyone?

Jason Haar Jason.Haar at ...294...
Wed Mar 9 14:18:58 EST 2005


Andreas Hasenack wrote:

>Currently the -T option is completely useless. In daemon mode, where it
>would be most useful, it gives us nothing. Instead of testing the
>configuration and giving an error if that's the case, it does nothing.
>
>  
>

I don't think you are using it correctly.

I always call it first *without daemon mode* and parse it looking for 
"FATAL ERROR". If I find that I *don't* start daemon mode.

i.e. call it to check your config, then if happy, start snort


Jason

>Check this example out:
>
># snort -A fast -b -D -d  -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -T;echo $?
>0
>
>The logs:
>Mar  9 18:34:56 pandora snort: Writing PID "7093" to file "/var/run/snort/snort_eth0.pid"
>Mar  9 18:34:56 pandora snort: Parsing Rules file /etc/snort/snort.conf
>Mar  9 18:34:56 pandora snort: ,-----------[Flow Config]----------------------
>Mar  9 18:34:56 pandora snort: | Stats Interval:  0
>Mar  9 18:34:56 pandora snort: | Hash Method:     2
>Mar  9 18:34:56 pandora snort: | Memcap:          10485760
>Mar  9 18:34:56 pandora snort: | Rows  :          4099
>Mar  9 18:34:56 pandora snort: | Overhead Bytes:  16400(%0.16)
>Mar  9 18:34:56 pandora snort: `----------------------------------------------
>Mar  9 18:34:56 pandora snort: FATAL ERROR:  unknown preprocessor "andreas" <------------
>
>So, there was a fatal error, but there was no way to tell other than looking at the logs. This makes
>it very difficult and unreliable to write an initialization script for snort, since there is no
>clean way to check if snort is running or not.
>
>Not even the PID can be used, as it is written before entering daemon mode and loading the rules.
>
>Either snort should not daemonize until it checked everything is fine or there should be some other
>way to verify things. Perhaps moving the pid file creation all the way to the end, just before the
>"Snort initialization completed successfully" message? Then the init script could check for the pid
>file and decide whether snort started or not.
>
>  
>

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list