[Snort-devel] All packets on 'lo' double-logged with 1.8.7/1.9.0
jpljpl at ...578...
Fri Oct 18 10:17:04 EDT 2002
I posted the message to snort-users originally, but I guess this
mailing list is more appropriate:
Having installed 1.8.7 from source, I notice that each packet is being
logged twice (I used the following command lines: "snort -b -l . -i lo"
and "snort -dev -i lo"). So I upgraded to 1.9.0, but the problem persists.
It doesn't help to run snort with the -c option to point to the snort.conf
from the rules-stable.tar.gz distribution either.
On another machine I have snort 1.8.7 installed from a Debian package
and it's working fine.
Can you give me a hint about what I should investigate in my faulty
installation? Could it be due to some 'configure' options (I didn't
specify any but --prefix) or perhaps a wrong version of libpcap?
SuSE's libpcapn-0.4a6-343 there..)
Since posting the above message, I installed libpcap-0.4 from source,
it did not help. I also observed that if I monitor eth0, the packets
are not double-logged. This happens only with the loopback interface.
I tried to figure out what is going on with gdb. It appears that
ProcessPacket in snort.c is being called twice for each packet.
But why? I am attaching the entire log of my gdb session.
Best regards -
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2934 bytes
Desc: not available
More information about the Snort-devel