Package: snort
Version: 2.7.0-13
Severity: normal
Hello, this bug report follows on from #458823. The scenario is
setting up snort for use on a laptop, where both lan0 (ethernet) and
wlan0 (wireless) may be defined but only one will be used at a time.
You were able to resolve #458823 by allowing for ALLOW_UNAVAILABLE to
be set to "yes" in /etc/default/snort.
However, the fail condition reported in #458823 is still occuring,
preventing snort from successfully upgrading. It doesn't fail every
time, however.
For instance I have set DEBIAN_SNORT_INTERFACE="lan0 wlan0" in
/etc/snort/snort.debian.conf. If lan0 is up at the time of upgrading
(or running /etc/init.d/snort start), then the init script succeeds
(return value 0). If the second interface, wlan0, is up at the time
(and lan0 is down), then the initscript fails with return value 1.
Looking through /etc/init.d/snort more closely, I think the
ALLOW_UNAVAILABLE logic needs to be repeated elsewhere. Either that or
ip link show is not the right test for interfaces.
Currently, the script looks at each interface in DEBIAN_SNORT_INTERFACE and
tests whether it is known at all using
if ! [ -x /sbin/ip ] || ip link show dev "$interface" >/dev/null 2>&1;
then
If the interface is not known then snort says "interface not available",
with or without an error depending on ALLOW_UNAVAILABLE.
Unfortunately this is not the right test for my laptop scenario, since
all "known" interfaces will pass the "ip link show", whether or not
they're actually up. So, when wlan0 is up, snort tests lan0, knows
it's there (although it's down) and tries to start it, with failure
coming from "/sbin/start-stop-daemon --start". That is, the current
implementation of ALLOW_UNAVAILABLE merely prevents failure when some
unknown interface is listed in DEBIAN_SNORT_INTERFACE.
I think there are two possible solutions:
1) when handling case "$ret" (from /sbin/start-stop-daemon --start),
for the failure case "*)", add a test for ALLOW_UNAVAILABLE (l.201):
*)
log_progress_msg "...ERROR: $fail)"
if [ "$ALLOW_UNAVAILABLE" = "no" ] ; then
myret=$(expr "$myret" + 1)
fi
;;
(Should the ERROR msg be changed if ALLOW_UNAVAILABLE=yes?)
2) Add "up" to the ip link test, i.e. 'ip link show up dev "$interface"'
instead of 'ip link show dev "$interface"'. In this case both
interfaces return 0, but the interface which is down returns no
output (to stdout). An empty string test handles it, say (l.167)
if ! [ -x /sbin/ip ] || [ -n "`ip link show up dev $interface
2>/dev/null`" ]; then
(I think -n is right, not -z)
In this case the existing ALLOW_UNAVAILABLE mechanism is then evoked
if the interface is down (I guess when ALLOW_UNAVAILABLE=yes there's
not much point in distinguishing between interfaces which don't exist
from those which are simply down?)
The reason why I'm getting the inconsistent behaviour (failure when
lan0 is down but wlan0 is up, but success the other way around), is
because when lan0 is up, wlan0 is configured. That is, "ip link show
dev wlan0" says wlan0 does not exist (not that it's simply down).
However when I activate wlan0, lan0 is simply set down with ifconfig
lan0 down, it's not completely removed (so "ip link show dev lan0"
says it exists but is not up). Either of the two solutions I suggest
here will fix the latter case.
I guess in my opinion solution 2 is more elegant since it treats both
interface failure mechanisms (not existing or not up) the same way.
I'm not sure treating the two failure case differently is useful -
either way "interface not available", but perhaps it could be useful to
know if the interface doesn't exist or is simply down.
Cheers,
Drew
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages snort depends on:
ii adduser 3.106 add and remove users and groups
ii debconf [debconf-2.0] 1.5.20 Debian configuration management sy
ii libc6 2.7-9 GNU C Library: Shared libraries
ii libgcrypt11 1.4.0-3 LGPL Crypto library - runtime libr
ii libgnutls26 2.2.2-1 the GNU TLS library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libltdl3 1.5.26-1 A system independent dlopen wrappe
ii libpcap0.8 0.9.8-3 system interface for user-level pa
ii libpcre3 7.6-2 Perl 5 Compatible Regular Expressi
ii libprelude2 0.9.16.2-2 Hybrid Intrusion Detection System
ii libtasn1-3 1.3-1 Manage ASN.1 structures (runtime)
ii logrotate 3.7.1-3 Log rotation utility
ii snort-common 2.7.0-13 Flexible Network Intrusion Detecti
ii snort-common-libraries 2.7.0-13 Flexible Network Intrusion Detecti
ii snort-rules-default 2.7.0-13 Flexible Network Intrusion Detecti
ii sysklogd [system-log-d 1.5-2 System Logging Daemon
ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime
Versions of packages snort recommends:
ii iproute 20080108-1 Professional tools to control the
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
