Re: [Snort-announce] run snort on GRE tunnel interface?

[Martin Roesch <roesch () sourcefire com>]

Snort doesn't support GRE decoding yet, so it won't run on a GRE
interface.  The segfault is incidental to the shutdown process,
something we have to clean up, but even if we cleaned that up it
wouldn't run.  I've been planning on adding GRE decoding for a while,
but if you want/need it before I get to it, adding decoders to Snort
isn't especially hard.  If you want to take a shot at it, feel free (and
also feel free to ask any questions you might have about the process).

     -Marty

Andreas Dembach wrote:
> Hi,
>
> snort version 1.7 SEGFAULTS if told to listen on a GRE tunnel interface:
>
> -----------------------
> # snort -h xx.xx.xx.xx/24 -c /etc/snort/snort.conf
> -S"HOME_NET=xx.xx.xx.xx/24"     -l /var/log/snort -b -d -u snort -g snort
> -s -i gre0
> Initializing Network Interface gre0
> Warning: arptype 778 not supported by libpcap - falling back to cooked
> socket
>
> snort cannot handle data link type 113
> Exiting...
> Segmentation fault
> #
> -------------------------------
>
> Is this a snort problem or one of libpcap? tcpdump complains (but works
> anyway):
>
> > Warning: arptype 778 not supported by libpcap - falling back to cooked
> socket
> > tcpdump: listening on gre0
>
> Im am running on linux with a 2.2.17 kernel and libpcap0 0.6.2-1
>
> Any ideas or comments?
>
> Andreas Dembach
>
> _______________________________________________
> Snort-announce mailing list
> Snort-announce () lists sourceforge net
> http://lists.sourceforge.net/lists/listinfo/snort-announce

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users