[Snort-devel] Possible bug ????

Phil Wood cpw at ...86...
Sat Oct 12 11:32:02 EDT 2002


1.8.7:
        -s     Send alert messages to  syslog.   On  linux  boxen,
              they  will appear in /var/log/secure, /var/log/mes-
              sages on many other platforms.

1.9.0: says the same thing.

Looking deeper, it appers that someone botched the "valid_options".
The code to handle 's' is the same on both.  And GOW (good old windows)
takes an arguement for the syslog.  However, when you look close at the
options, 1.8.7 says GOW 's' requires an argument.  1.9.0 says Unix
requires the argument.  What's Up Doc?  

1.8.7:
#ifndef WIN32
    valid_options = "B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
        "i:G:vV?aso6u:g:t:Uyz";
#else
    valid_options = "B:fk:TXL:IOCWqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
        "i:G:vV?aEo6u:g:s:t:Uyzw:";
#endif
...
            case 's':  /* log alerts to syslog */
                pv.syslog_flag = 1;
                DebugMessage(DEBUG_INIT, "Logging alerts to syslog\n");
                /* command line alerting option has been specified, 
                 * override the alert options in the config file
                 */
                pv.alert_cmd_override = 1;
#ifdef WIN32
                pv.syslog_remote_flag = 1;
                toks = mSplit(optarg, ":", 2, &num_toks, 0);
                strncpy(pv.syslog_server, toks[0], STD_BUF-1);
                pv.syslog_server_port = (num_toks == 1) ? 514 : atoi(toks[1]);
                DebugMessage(DEBUG_INIT, "Logging alerts to syslog server %s on port %d\n",
                                         pv.syslog_server, pv.syslog_server_port);
#endif

1.9.0:

#ifndef WIN32
    valid_options = "R:B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
        "i:G:vV?ao6u:g:s:t:Uwyz";
#else
    valid_options = "R:B:fk:TXL:IOCqS:pNA:m:F:DM:br:xeh:l:dc:n:P:"
        "i:G:vV?ao6u:g:st:UwyzEW";
#endif

...

            case 's':  /* log alerts to syslog */
                pv.syslog_flag = 1;
                DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Logging alerts to syslog\n"););
                /* command line alerting option has been specified, 
                 * override the alert options in the config file
                 */
                pv.alert_cmd_override = 1;
#ifdef WIN32
                pv.syslog_remote_flag = 1;
                toks = mSplit(optarg, ":", 2, &num_toks, 0);
                strncpy(pv.syslog_server, toks[0], STD_BUF-1);
                pv.syslog_server_port = (num_toks == 1) ? 514 : atoi(toks[1]);
                DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Logging alerts to syslog server %s on port %d\n",
                    pv.syslog_server, pv.syslog_server_port););
#endif


On Fri, Oct 11, 2002 at 07:50:45PM +1000, Linus Hindmarsh wrote:
> Hi
> 
> Not sure if this is a bug or me missing something, anyway, I recently
> upgraded from 1.8.7 to 1.9.0 using the RPM binaries, however when I went
> to start snort using the script that I used for 1.8.7
> 
> -------------------------------------------
> # Specify your network interface here
> INTERFACE=ppp0
> 
> # See how we were called.
> case "$1" in
>   start)
>         echo -n "Starting snort: "
>         cd /var/log/snort
>         daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D -s\
>                  -i $INTERFACE -c /etc/snort/snort.conf
>         touch /var/lock/subsys/snort
> ------------------------------------------- etc etc
> 
> I got the following error in syslog
> 
> -------------------------------------------
> Oct 11 19:09:21 kylie snort: Initializing Output Plugins!
> Oct 11 19:09:21 kylie kernel: eth0: Setting promiscuous mode.
> Oct 11 19:09:21 kylie kernel: device eth0 entered promiscuous mode
> Oct 11 19:09:21 kylie snort: ERROR: OpenPcap() FSM compilation failed:
> ^Iparse
> error
> Oct 11 19:09:21 kylie snort: FATAL ERROR: PCAP command: ppp0
> Oct 11 19:09:21 kylie kernel: device eth0 left promiscuous mode
> Oct 11 19:09:21 kylie snortd: snort startup failed
> --------------------------------------------
> 
> After tearing my hair out and through a process of elimination, I
> tracked it down to the "-s" command line option. Removing this enables
> snort to start properly.
> 
> Using "snort --help" indicates that "-s" is a valid option, so I am not
> sure that what the deal is. 
> 
> Cheers
> Linus Hindmarsh
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
Phil Wood, cpw at ...86...





More information about the Snort-devel mailing list