[Snort-users] -T option useless - good init script anyone?

Alejandro Flores alejandrorflores at ...11827...
Wed Mar 9 14:20:30 EST 2005


Hey,

I guess this option is not to be used this way. If you want to test if
your snort configuration is fine, you just execute it like this:
snort -c /etc/snort/snort.conf -T
Then you'll see your error.
You can use something like this in your init script:

snort -c /etc/snort/snort.conf -T
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
    # ALL OK, start it up
    snort -A fast -b -D -d  -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort
else
    echo "Your snort configuration is broken, go fix dude!"
fi

When you 'daemonize' a process, the main process spawn it's child,
then die. So, it will only return an error if it can't fork it.
Another point is, when in daemon mode there's no output to console, so
you got to check syslog.

Regards,
Alejandro Flores

> Currently the -T option is completely useless. In daemon mode, where it
> would be most useful, it gives us nothing. Instead of testing the
> configuration and giving an error if that's the case, it does nothing.
> 
> Check this example out:
> 
> # snort -A fast -b -D -d  -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -T;echo $?
> 0
> 
> The logs:
> Mar  9 18:34:56 pandora snort: Writing PID "7093" to file "/var/run/snort/snort_eth0.pid"
> Mar  9 18:34:56 pandora snort: Parsing Rules file /etc/snort/snort.conf
> Mar  9 18:34:56 pandora snort: ,-----------[Flow Config]----------------------
> Mar  9 18:34:56 pandora snort: | Stats Interval:  0
> Mar  9 18:34:56 pandora snort: | Hash Method:     2
> Mar  9 18:34:56 pandora snort: | Memcap:          10485760
> Mar  9 18:34:56 pandora snort: | Rows  :          4099
> Mar  9 18:34:56 pandora snort: | Overhead Bytes:  16400(%0.16)
> Mar  9 18:34:56 pandora snort: `----------------------------------------------
> Mar  9 18:34:56 pandora snort: FATAL ERROR:  unknown preprocessor "andreas" <------------
> 
> So, there was a fatal error, but there was no way to tell other than looking at the logs. This makes
> it very difficult and unreliable to write an initialization script for snort, since there is no
> clean way to check if snort is running or not.
> 
> Not even the PID can be used, as it is written before entering daemon mode and loading the rules.
> 
> Either snort should not daemonize until it checked everything is fine or there should be some other
> way to verify things. Perhaps moving the pid file creation all the way to the end, just before the
> "Snort initialization completed successfully" message? Then the init script could check for the pid
> file and decide whether snort started or not.




More information about the Snort-users mailing list