Re: of signals and packets

Just want to clear up the history behind this change.  Snort
used to catch a signal, and go through the snort shutdown
within the signal handler.  This exposed snort to a
vulnerability with reentrant code.

We changed to using pcap_dispatch -- versus pcap_loop -- and
a timeout value.  The implementation of pcap_dispatch using a
timeout is the root cause of Snort's failure to exit on the
signal -- it catches the signal, but control returns to pcap,
where its sitting waiting for a packet.  Certain implementations
of pcap -- namely linux -- do NOT correctly use (read ignore)
the timeout value supplied.

Thus, on the first packet, we see that we've got a signal and
poof, snort exits cleanly.

This approach was taken to eliminate the reentrant code in
the signal handlers -- best not be in the middle of syslog
in a sig handler when you get another signal.

Markus' approach would handle the signal issue, but might add
some performance latency as it still has to poll the fd at some
point even when there may be packets queued up.

Cheers.
-steve

Nepenthes Development Team wrote:
> Hi,
> 
> On 8/9/06, Russell Fulton <r.fulton@xxxxxxxxxxxxxx> wrote:
> 
>>No packets, no interrupts!
>>
>>I wonder if it would be worth while to feed in dummy packet once a
>>second to catch signal when there is no traffic.
> 
> 
> Bad hack, better approach might be using
> int pcap_get_selectable_fd(pcap_t *p);
> in combination with poll / select, so you can specify a timeout of
> lets say 200ms, and check whatever you need then.
> 
> If done right, one could even poll sockets from modules (which log to
> a database).
> 
> 
> MfG
> Markus Koetter
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642