[Snort-devel] A question regarding InitializeInterfaces

Fyodor fygrave at ...1...
Mon Nov 19 13:44:02 EST 2001


On Mon, Nov 19, 2001 at 04:14:44PM +0100, Dirk Geschke wrote:
> Hi all,
> 
> maybe one simple question, but what is the reason for calling
> the function InitializeInterfaces twice?
> 

True looks like some cut-n-paste screwup. There's a dilema though which
I don't see how to solve nicely for the moment :-p, you need to have
interfaces initialised in order to have some plugins to be able to
startup properly. But on the other hand you may need to read
configuration file first if an interface name is specified there.
What ideally should be done is separation of ReadConfFile()
functionality and delayed plugins initialisation, which would allow to
startup plugins when the rest of initalisation is done. (I faced the
similar problem with chroot in fact, that is why you have some log files
being owned as root within chroot tree even though your snort daemon is
running as non-root user). I cleaned up original mess (I hope) to
initialize interfaces once just before config file is read (which means
you'd have to specify interface from command line, if you want it to be
different from the one which lipcap picks up by default)... but IMHO we
need to have a look into the design further.. maybe with snort 2.x cuz
otherwise you need a really long weekend to recode what I was suggesting
(and I personally still don't have time to incorporate some security
fixes into current CVS from one of the past CVS snapshots which I had on
my disk while ago, and where I made the patching).


> 
> (Clear, this is the second OpenPcap call without closing the first...)
> 
> Best regards,

yup, thanks for your feedback the changes just have been committed.

-Fyodor




More information about the Snort-devel mailing list