[Snort-devel] Bug in snort - no resolve
elof at ...969...
Tue Dec 6 03:15:34 EST 2005
Oct 17 I reported this problem for snort v2.4.2. (see below)
A few minutes ago I downloaded the current CVS snapshot of snort and
tested it. It too have this problem:
Ports to decode RPC on: 111 32771
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
Ports: 25 691
ERROR: ERROR ../rules/bad-traffic.rules(12): Couldn't resolve hostname
Fatal Error, Quitting..
Could you please rewrite the resolver part of the parser code so that
snort can run on a system with absolutely no resolving support?
(my snort is running in a very stripped down environment)
Date: 17 Oct 2005 16:24:01 +0200 (CEST)
Subject: [Snort-devel] Bug in snort v2.4.2 - no resolve
I have a stand-alone FreeBSD system running snort for years.
Now I tried to upgrade snort to 2.4.2 and it fails.
With the default snort.conf and rules, snort exit with the following
couldn't resolve hostname: 22.214.171.124
This address/network comes from sid:1431 in bad_traffic.rules.
After some debugging I found out that it is because I have disabled "bind"
from /etc/host.conf (nsswitch.conf in linux), and I don't want to enable
If I temporarily enable both "hosts" and "bind" in /etc/host.conf, snort
2.4.2 start without any problem.
Have you done something wrong with the resolver function in snort 2.4?
IMHO, snort should proceed even if I have disabled "bind" and only use the
Oh, and BTW, why is snort trying to resolv multicast addresses in the
More information about the Snort-devel