[PacketFence-users] two Snort issues - pid file and violation_conf defaults

Thu, 30 May 2013 06:12:03 -0700 

A fine day to all,

I've had some problems with snort, and found two issues. I have a hard
time believing there wouldn't be others speaking up if these were real
problems, so I'm suspecting they are related to my situation somehow, but
I thought I would put them out there anyway just in case.

PacketFence 4.0.1
CentOS 6.4
snort: snort.x86_64   1:2.9.1.2-1.el6  @PacketFence

1. snort not seen as running by pf, even when it is, with correct pf
generated conf file and run parameters
     1. Cause ­ pid file name being checked in services.pm line 349
doesn't match actual pid file name, which is "snort_${interface}.pid", not
snort.pid
          1. I'm using eth5 for snort monitor ­ so real pid file is
snort_eth5.pid.
          2. Since I don't see an option to snort to set actual pid file
name (and having the interface in the name could be helpful), I've done a
horrible hack to services.pm
               diff services.pm services.pm.dist
               348,353c348,349
               < #THP
               <                    if ($daemon eq 'snort'){
               <                        if (-e 
"$install_dir/var/run/${daemon}_eth5.pid"){
               <                            chomp( $pid = `cat
$install_dir/var/run/${daemon}_eth5.pid`);
               <                         }
               <                     } elsif (-e
"$install_dir/var/run/$daemon.pid") {
               ---
               > 
               >                     if (-e
"$install_dir/var/run/$daemon.pid") {
          3. Gets me running for now without chasing the proper way to get
the active snort interface

2. Starting snort complains about "Use of uninitialized value in split at
/usr/local/pf/lib/pf/services/snort.pm line 58."
     1. This seems to come from the defaults sub-hash being cleared and
not repopulated in the class_set_defaults routine in violation_config.pm
(line 114)
     2. When services/snort.pm attempts to split
$Violation_Config{'defaults'}{'snort_rules'}, there's no there there, so
producing the uninitialized value complaint, and the lack of rules
included in var/conf/snort.conf
     3. Another ugly hack "fixes" this:
        diff violation_config.pm violation_config.pm.dist
        114,115c114
        <     my $default_values;
        < #    my $default_values = delete $violations_conf{'defaults'} ;
        ---
        >     my $default_values = delete $violations_conf{'defaults'} ;

Again, I'm sure that somehow these being a problem are due to my setup and
most certainly my "fixes" are ugly things that will likely break all kinds
of things, but for the moment they let me get past these problems and on
to more interesting issues.
          

Thank you for your time,

Tim Palmer


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to