[Snort-devel] spo_alert_unixsock is broken, patch attached

Dirk Geschke Dirk_Geschke at ...802...
Tue Mar 13 12:43:16 EDT 2007


Hi Jeff,

I think it would be a better fix to allow only a snaplen of SNAPLEN
within snort. This would make rethinking of the caplen size more obsolete.

With your fix you may end up in a big/little endian problem.

BTW: Does anyone understand this definition:

/* IRIX 6.2 hack! */
#ifndef IRIX
    #define SNAPLEN         1514
#else
    #define SNAPLEN         1500
#endif

I think for ethernet it should be 1514 regardless which OS, normally
14 bytes are the size of the MAC header... (Ok, 1518 would be more 
precisely but the last 4 bytes are only an end marker.)

And furthermore: For GB-Ethernet can use jumbo frames. So maybe it 
would be better to set SNAPLEN to 9014?

Best regards

Dirk 





More information about the Snort-devel mailing list