Snort mailing list archives

Re: -T option useless - good init script anyone?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 10 Mar 2005 11:18:37 +1300

Andreas Hasenack wrote:

Currently the -T option is completely useless. In daemon mode, where it
would be most useful, it gives us nothing. Instead of testing the
configuration and giving an error if that's the case, it does nothing.


I don't think you are using it correctly.

I always call it first *without daemon mode* and parse it looking for"FATAL ERROR". If I find that I *don't* start daemon mode.


i.e. call it to check your config, then if happy, start snort


Jason

Check this example out:

# snort -A fast -b -D -d  -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -T;echo $?
0

The logs:
Mar  9 18:34:56 pandora snort: Writing PID "7093" to file "/var/run/snort/snort_eth0.pid"
Mar  9 18:34:56 pandora snort: Parsing Rules file /etc/snort/snort.conf
Mar  9 18:34:56 pandora snort: ,-----------[Flow Config]----------------------
Mar  9 18:34:56 pandora snort: | Stats Interval:  0
Mar  9 18:34:56 pandora snort: | Hash Method:     2
Mar  9 18:34:56 pandora snort: | Memcap:          10485760
Mar  9 18:34:56 pandora snort: | Rows  :          4099
Mar  9 18:34:56 pandora snort: | Overhead Bytes:  16400(%0.16)
Mar  9 18:34:56 pandora snort: `----------------------------------------------
Mar  9 18:34:56 pandora snort: FATAL ERROR:  unknown preprocessor "andreas" <------------

So, there was a fatal error, but there was no way to tell other than looking at the logs. This makes
it very difficult and unreliable to write an initialization script for snort, since there is no
clean way to check if snort is running or not.

Not even the PID can be used, as it is written before entering daemon mode and loading the rules.

Either snort should not daemonize until it checked everything is fine or there should be some other
way to verify things. Perhaps moving the pid file creation all the way to the end, just before the
"Snort initialization completed successfully" message? Then the init script could check for the pid
file and decide whether snort started or not.


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

-T option useless - good init script anyone? Andreas Hasenack (Mar 09)
- Re: -T option useless - good init script anyone? Jason Haar (Mar 09)
- Re: -T option useless - good init script anyone? Alejandro Flores (Mar 09)
  - Re: -T option useless - good init script anyone? Andreas Hasenack (Mar 09)