[Snort-devel] Problem (and Fix) when reading from files

Serge Droz serge.droz at ...452...
Wed Aug 14 02:00:06 EDT 2002


Hello,

it seems to me there is a problem when reading data from tcpdump files.
(This applies to version 1.8.7 and earlier). We're running under linux
here.
 
In snort.c line 1851 there is a call to pcap_lookupnet
even if we are reading from a file. 
We found this because we always got syslog entries of the form:

Aug 14 10:30:08 pc111 modprobe: modprobe: Can't locate module [reading
from a

pcap tries to access the interface "[reading from a file] (set at line
1749).

I have appended a patch for 1.8.7 which should fix this behavior.

Any feedback is appreciated
Serge


-- 
Serge Droz
Paul Scherrer Institut                mailto:serge.droz at ...452...
CH-5232 Villigen PSI                   Phone: ++41 56 310 3637
                                         Fax: ++41 56 310 3649
-------------- next part --------------
--- /tmp/snort-1.8.7.orig/snort.c	Fri Jun 28 16:22:59 2002
+++ /tmp/snort-1.8.7/snort.c	Wed Aug 14 10:45:42 2002
@@ -1845,9 +1845,14 @@
                        PRINT_INTERFACE(pv.interfaces[num]), errorbuf);
         }
     }
+    
     /* get local net and netmask */
-    if(pcap_lookupnet(pv.interfaces[num], &localnet, &netmask, errorbuf) < 0)
+
+    if(!pv.readmode_flag && pcap_lookupnet(pv.interfaces[num], &localnet, &netmask, errorbuf) >= 0)
     {
+        DefineIfaceVar(pv.interfaces[num], (u_char *) &localnet, 
+                (u_char *) &netmask);
+    }  else {
        if (!pv.readmode_flag)
        {
             ErrorMessage("WARNING: OpenPcap() device %s network "
@@ -1860,12 +1865,8 @@
          */
         netmask = htonl(defaultnet);
     }
-    else
-    {
-        DefineIfaceVar(pv.interfaces[num], (u_char *) &localnet, 
-                (u_char *) &netmask);
-    }
 
+    
     /* compile BPF filter spec info fcode FSM */
     if(pcap_compile(pds[num], &fcode, pv.pcap_cmd, 1, netmask) < 0)
     {


More information about the Snort-devel mailing list