[Snort-devel] reading pcap from pipes

Môshe Van der Sterre me at ...2996...
Mon Nov 3 05:13:11 EST 2008


Some time ago, I asked how to use a pipe as input for stdin on your
forum: http://www.snort.org/reg-bin/forums.cgi?forum_id=5&topic_id=6585
Because I received no answer, today I went looking a bit why this does
not work. It seems all files to be opened are checked on S_IFREG.
Disabling that check gives no error for me, so I wonder why that check
is in there. Can someone explain this?

If there is no particular reason to check for S_IFREG in the case of
PCAP_SINGLE, I might make a patch removing it.
I have not looked at the code for other types, but if these are
implemented using a select or poll mechanism, I see no reason to keep
the S_IFREG checks at all.

Also, I noticed someone recently posted a patch on using stdin (
http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=6609 ).
I think this (reversed) patch is not the correct way to do this, but
being able to use "snort -r -" might be a usefull option.
If not "snort -r /proc/self/fd/0" does ofcourse already work (with files).

Môshe van der Sterre

More information about the Snort-devel mailing list