Snort mailing list archives
compiling with --enable-inline impacts non-inline sniffing
From: Dan Weber <weberdan () gmail com>
Date: Tue, 30 Mar 2010 17:22:59 -0400
I configure snort like this: ./configure --enable-ipv6 \ --enable-dynamicplugin --enable-inline --enable-ipfw \ --with-libnet-includes=/usr/local/include/libnet-1.0 \ --with-libnet-libraries=/usr/local/lib/libnet-1.0 I compile, then run snort like this: snort -i lo -c snort.conf where "snort.conf" is an empty file. And it reads from a different interface, not lo. Looking in the source, things are okay in the SnortConfigso bad in MergeSnortConfs(), which I think is there to merge the configuration on my command line with whatever is read from the configuration file. Around line 4620 is this: #if defined(GIDS) && defined(IPFW) config_file->divert_port = cmd_line->divert_port; if (config_file->interface != NULL) { free(config_file->interface); config_file->interface = NULL; } #endif If I'm understanding it correctly, this erases the interface in the config_file if it exists, even if I'm not in inline mode. I'm not sure what test should be there, but this doesn't seem right. snort still sniffs, but it sniffs the "default interface" as determined by libpcap, instead of what was on the command line. Tested on both 2.8.5.2 and 2.8.5.3, as well as the 2.8.6.rc. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- compiling with --enable-inline impacts non-inline sniffing Dan Weber (Mar 30)
- Re: compiling with --enable-inline impacts non-inline sniffing Todd Wease (Mar 30)