Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Segfault on fun funy rule

From: Erek Adams <erek () snort org>
Date: Thu, 26 Feb 2004 01:13:38 -0500 (EST)

[...comments inline...]

On Wed, 25 Feb 2004, Jason Monroe "JC" wrote:


Downloaded 2.1.1 built it against Fedora Core 1
pcre 4.4
libpcap-0.7.2-7.1


[...snip...]


Have rule in local.rules that causes breakage

alert tcp any any -> any any (msg:"Telnet login as
root";content:"root";nocase;flow:to_server:established;)

I mistakenly typed a ":" instead of "," between the flow statement

When I correct the rule snort is able to init correctly :)
(the glass is half full)


Good. :)  Don't type that. :)

Your problem below isn't the same--It's different.


I looked at the FAQ said DO GDB so here it is
[root@Fedora1 root]# gdb snort
GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh)


[...snip...]


(gdb) run snort -T -v -c /etc/snort/snort.conf
Starting program: /opt/snort/bin/snort snort -T -v -c
/etc/snort/snort.conf
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
        syntax error
PCAP command: snort
Fatal Error, Quitting..

Program exited with code 01.
(gdb) where
No stack.
(gdb) bt
No stack.


Makes perfect sense. :)

Instead of "run snort ...." try just "run <options>" without the word
'snort'.  Libpcap is seeing that and trying to interpret it as a BPF style
filter, hence the syntax error with OpenPcap.

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: