[Snort-devel] snort 1.7 on obsd 2.5

Eugene Tsyrklevich eugene at ...223...
Fri Jan 19 15:21:38 EST 2001


Hi,

With OpenBSD < 2.7 you have to use a routing socket to extract the MTU
(http://www.sigmasoft.com/~openbsd/archive/openbsd-tech/200101/msg00198.html)

I think Fyodor was working on a patch for that, until than this have worked
for me:


--- snort.c.orig        Fri Jan 19 12:11:09 2001
+++ snort.c     Fri Jan 19 12:16:15 2001
@@ -1490,7 +1490,12 @@
         retval = ifr.ifr_metric;
 #endif
     else
+//#ifdef __OpenBSD__
+#if OpenBSD <= 199912
+       retval = ETHERNET_MTU;
+#else
         PrintError("ioctl(SIOCGIFMTU)");
+#endif

     close(fd);


cheers


On Fri, Jan 19, 2001 at 09:29:09AM -0800, John Kinsella wrote:
> Hey guys...not sure if somebody's working this or not already...looks
> like because of the addition of the mtu code in snort 1.7 it won't run
> under OpenBSD 2.5...heard rumors on dejaNews about the same problem for 
> 2.6.  Been tinkering around with snort.c to see if I can get it working,
> looks like when the call to GetIfrMTU(snort.c:1376) fails it isn't a
> fatal error in and of itself...commenting out the if loop which tests at
> 1378 allows me to run 'snoop -v' and see output, but when I try to send my
> rules at it('snoop -i tun0 -v -c rules') it coredumps while trying to
> Initialize rule chains.
> 
> Looking at the libpcap code, their configure script actually has
> pcap_open_live() stay away from the ioctl tricks under obsd.  I tried
> putting their MTU discovery code(basically divide size by 2 until buffer
> is small enough) into the GetIfrMTU function, but still end up with a
> buffer size of 0...anybody else playing with this?  Gotta go do the day
> job now but I wouldn't mind getting this working if I can.
> 
> John




More information about the Snort-devel mailing list