Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: compiling with --enable-inline impacts non-inline sniffing

From: Todd Wease <twease () sourcefire com>
Date: Tue, 30 Mar 2010 20:32:42 -0400
On 03/30/2010 05:22 PM, Dan Weber wrote:

I configure snort like this: ./configure --enable-ipv6 \
  --enable-dynamicplugin --enable-inline --enable-ipfw \
  --with-libnet-includes=/usr/local/include/libnet-1.0 \
  --with-libnet-libraries=/usr/local/lib/libnet-1.0

I compile, then run snort like this:

snort -i lo -c snort.conf

where "snort.conf" is an empty file. And it reads from a different
interface, not lo.

Looking in the source, things are okay in the SnortConfigso bad in
MergeSnortConfs(), which I
think is there to merge the configuration on my command line with
whatever is read from the configuration file. Around line 4620
is this:

#if defined(GIDS)&&  defined(IPFW)
  config_file->divert_port = cmd_line->divert_port;

  if (config_file->interface != NULL)
  {
  free(config_file->interface);
  config_file->interface = NULL;
  }
#endif

If I'm understanding it correctly, this erases the interface in the
config_file if it exists, even if I'm not in inline mode.  I'm not
sure what test should be there, but this doesn't seem right.

snort still sniffs, but it sniffs the "default interface" as determined
by libpcap, instead of what was on the command line.

Tested on both 2.8.5.2 and 2.8.5.3, as well as the 2.8.6.rc.
   


Hi Dan,

Thanks for the report.  Definitely looks like a bug.  It should probably 
be doing an inline check before freeing the interface - if inline, free 
it, else don't.  Maybe something like:

if ((config_file->run_flags & RUN_FLAG__INLINE) && 
(config_file->interface != NULL))
{
     free(config_file->interface);
     config_file->interface = NULL;
}

I'll be creating a bug for the issue.

Thanks,
Todd

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: