[Snort-devel] Bug-report for snort 2.4.3 - interface + daemon

Martin Olsson elof at ...969...
Tue Jan 24 04:57:01 EST 2006


Two "bugs" found in snort 2.4.3 (build 27):
(Running on FreeBSD)

1. Snort is touching an interface it shouldn't mess with

dc0 = my management interface (with an IP address)
dc1 = my monitor interface (without any IP address)

In my snort.conf I have stated "config interface: dc1".
On the commandline I have omitted the -i option since the interface is
stated in snort.conf.

When starting snort it immediately touch my first interface (dc0).

Here is an example of the output from snort in testmode:

~> snort -T -c snort.conf.dc1
*** interface device lookup found: dc0    <-------------------
Running in Test mode with config file:
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding LoopBack on interface dc0        <-------------------
Initializing Preprocessors!

In the syslog I also see that something is messing with dc0:

Jan 24 13:15:52 foo /kernel: dc0: TX underrun -- increasing TX threshold

I don't want snort to touch dc0 at all.
Right now there's a workaround - specify "-i dc1" on the commandline.

2. Snort doesn't enter daemon mode

In my snort.conf I have stated "config daemon".
When starting snort some (but not all) things are logged to syslog instead
of stdout, but the process is still running in the foreground.
Right now there's a workaround - specify "-D" on the commandline.

So, both "bugs" have workarounds, but I still think they are in error.


