[Snort-devel] Odd things with 1.9 build 207 and 'config' statements

Erek Adams erek at ...105...
Fri Sep 20 15:04:03 EDT 2002


Oddity #1:  When you use a 'config interface: <foo>' statement in snort.conf,
snort will still open and try to read off the 'lower' interface.

 Command line 1:  snort -vade -i hme1
 Config file 1:  #config interface: hme1
 Output 1:
          --== Initializing Snort ==--
  Decoding Ethernet on interface hme1

 Command line 2: snort -vade
 Config file 2:  config interface: hme1
 Output 2:
          --== Initializing Snort ==--
  Decoding Ethernet on interface hme0
  Decoding Ethernet on interface hme1



Oddity #2:  It seems that DebugMessageFunc is getting a NULL from ParseConfig.
ParseConfig mSplits on ':' but since some config options don't have a ':
<value>' part then args is still NULL.  This forces snort to core, but _only_
when debugging the parser.  Thanks to Phil Wood and Nick Giordano for helping!


Oddity #3:  The manual on page 11 says:
   order
         Change the pass order of rules ( snort -o )

If you place that in your config, it'll dump core.  OrderRuleLists needs to
have the order listed for it to work.  Such as:

snort.c:2277:        OrderRuleLists("pass activation dynamic alert log");


As usual, if I'm off base on any of that, please correct me.  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net











More information about the Snort-devel mailing list