Snort mailing list archives

Re: Snort -T and -K in 2.4.1

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 19 Sep 2005 11:09:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nevermind, I found the bug.  I'll get a fix out shortly...

On Sep 17, 2005, at 9:48 PM, Zultan wrote:

Has anyone else noticed this?

In version 2.4.1, -T runs as before 2.4.0, but it now wants a "-Kascii" or a "-K none". "-K pcap" or no -K at all fails, regardlessof the output line in snort.conf. For example...


"snort -Toc /etc/snort/snort.conf"
or...
"snort -K pcap -Tc /etc/snort/snort.conf"

fails with this

| gen-id=1 sig-id=2001580 type=Both tracking=srccount=200 seconds=60| gen-id=1 sig-id=3543 type=Threshold tracking=srccount=5 seconds=2| gen-id=1 sig-id=2001553 type=Threshold tracking=srccount=100 seconds=60+-----------------------[suppression]------------------------------------------

| none

-------------------------------------------------------------------------------

Rule application order: ->pass->activation->dynamic->alert->log->drop
Log directory = /var/log/snort
Segmentation fault

###################

However these finish normally.

"snort -K none -Tc /etc/snort/snort.conf"
or...
"snort -K ascii -Tc /etc/snort/snort.conf"

returns this


Snort sucessfully loaded all rules and checked all rule chains!
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
    finds: 0 reversed: 0(%0.000000)
    find_sucess: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting




--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



-------------------------------------------------------
SF.Net email is sponsored by:

Tame your development challenges with Apache's Geronimo App Server.Download

it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDLtSoqj0FAQQ3KOARAkUlAJ4opQlpyTzSDecTG87UUbA821YZZwCfRtLr
zCYjpOWF+NPOd1c7BIGVjqE=
=Bi0Y
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort -T and -K in 2.4.1 Zultan (Sep 17)
- Re: Snort -T and -K in 2.4.1 Martin Roesch (Sep 19)
- Re: Snort -T and -K in 2.4.1 Martin Roesch (Sep 19)