Merge branch 'master' of ssh://10.211.55.11/home/mbr/git/psad

CREDITS

@@ -442,6 +442,9 @@ Dan A. Dickey
       iproute2 does not.  So, for a multi-homed interface (eth0 with multiple
       addresses), ifconfig -a only shows the first one configured and not the
       rest.  ip addr shows all of the configured addresses...".
+    - Valuable input around whois process handling w.r.t. zombie processes.
+      This helped to lead to a solution using fork() and exec(), and was
+      tracked by Github issue #15.
 
 Graham Murray
     - Reported a bug where 8-bit data included in some whois output causes mail

ChangeLog

@@ -1,3 +1,9 @@
+psad-2.2.4 (08//2014):
+    - Bug fix to not create zombie whois processes when whois lookups take too
+      long to complete for whatever reason (slow network, etc.). This fixes
+      issue #15 on Github. The bug was reported by "3Turtles" to the psad
+      mailing list, and Dan Dickey provided valuable input.
+
 psad-2.2.3 (03/01/2014):
     - Added compatibility with 'upstart' init daemons with assistance from Tim
       Kramer.  This change adds a new config variable 'ENABLE_PSADWATCHD' that

psad

@@ -728,7 +728,6 @@ if ($config{'ENABLE_AUTO_IDS'} eq 'Y') {
 ### and for reaping zombie whois processes.
 $SIG{'__WARN__'} = \&warn_handler;
 $SIG{'__DIE__'}  = \&die_handler;
-$SIG{'CHLD'}     = \&REAPER;
 $SIG{'USR1'}     = \&usr1_handler;
 $SIG{'HUP'}      = \&hup_handler;
 
@@ -6020,21 +6019,23 @@ sub exec_external_script() {
     $scan_ext_exec{$src} = '';
     my $cmd = $config{'EXTERNAL_SCRIPT'};
     $cmd =~ s/SRCIP/$src/;
+
     my $pid;
-    if ($pid = fork()) {
-        local $SIG{'ALRM'} = sub {die "[*] External script timeout.\n"};
-        alarm 30;  ### the external script should be finished in 30 secs.
-        eval {
-            waitpid($pid, 0);
-        };
-        alarm 0;
-        if ($@) {
-            kill 9, $pid;
+    local $SIG {'ALRM'} = sub {kill 15, $pid or die "[*] kill: $!";
+        die "[*] External script timeout.\n"};
+    eval {
+        $pid = fork();
+
+        die "Could not fork for external script: $!" unless defined $pid;
+
+        unless ($pid) {
+            exec qq{$cmd};
+            die "script exec failed: $!";
         }
-    } else {
-        die "[*] Could not fork for external script: $!" unless defined $pid;
-        exec qq{$cmd};
-    }
+        alarm $config{'WHOIS_TIMEOUT'};
+
+        waitpid $pid => 0;
+    };
     return;
 }
 
@@ -7277,15 +7278,26 @@ sub get_whois_info() {
         $whois_cache{$ip}++;
     } else {
         $whois_cache{$ip} = 0;
+
+        my $pid;
+
+        local $SIG {'ALRM'} = sub {kill 15, $pid or die "[*] kill: $!";
+            die "whois alarm"};
         eval {
-            local $SIG{'ALRM'} = sub {die "whois alarm\n"};
+            $pid = fork();
+
+            die "Could not fork(): $!" unless defined $pid;
+
+            unless ($pid) {
+                exec "$cmds{'whois'} $ip > $whois_datafile";
+                die "whois $ip exec failed: $!";
+            }
             alarm $config{'WHOIS_TIMEOUT'};
-            system "$cmds{'whois'} $ip > $whois_datafile 2> /dev/null";
-            alarm 0;
+
+            waitpid $pid => 0;
         };
+
         if ($@) {
-            ### die unless $@ eq "whois alarm\n";
-            ### warn "$@: $?";  ### let the warning handler save the error.
             warn $@;
             $#whois_data = 0;
             @whois_data = ("Whois data not available!\n");
@@ -7308,16 +7320,6 @@ sub get_whois_info() {
     return \@whois_data;
 }
 
-sub REAPER {
-    my $pid;
-    $pid = waitpid(-1, WNOHANG);
-#   if (WIFEXITED($?)) {
-#       print STDERR "[+] **  Process $pid exited.\n";
-#   }
-    $SIG{'CHLD'} = \&REAPER;
-    return;
-}
-
 sub stop_psad() {
     my $rv = 0;