[Snort-devel] many bugs in config directives
ajlill at ...267...
Mon Jul 23 00:08:11 EDT 2001
I'm running snort Version 1.8.1-beta3 (Build 50), and I have been
trying to use the config directives. They don't work very well. During
the course of debug this I've found:
Setting 'config no_promisc' in the config file does nothing by
itself. This is because InitInterfaces is called before the rules file
is parsed, because, according to the comments, some output plugins
require it. If that's really the case, then shouldn't those output
plugins check if ifr_count > 0 and call InitInterfaces themselves? The
ordering constraints could then be documented. Or, InitInterfaces could
be called when 'config no_promisc' is parsed.
The "config interface:" option adds a second interface, which does not
work unless USE_PTHREADS is on. Is this really what you want? I
would think that if no interface is specified on the command line and
only one is specified in the config file, then that is the only
interface to be used. If you really wanted 'config interface' to add
to the list of interfaces, it should throw up an error if used without
The call SetPktProcessors must be moved to after reading the config
file for multiple interfaces to work.
While looking through the code, I've found 2 fairly similar functions
being used: SyslogAlert in log.c when the -s option is used, and
AlertSyslog in spo_alert_syslog.c when 'output alert_syslog' is used.
The latter is obviously out of date, since it doesn't spew out the
session info. There are also a bunch of other minor differences.
It was pretty trivial to make them both use the same func. The same
goes for the smb alerts.
Also, what's the deal with otn_tmp? Is it ok to unconditionally set it
to null before the anomsenor calls the alert functions. This would
eliminate the random classifications that it throws up there. Or has
this been eliminated by other means?
Tony Lill, Tony.Lill at ...551...
President, A. J. Lill Consultants fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
More information about the Snort-devel