[Snort-users] My script works, but snort segfaults :(

Vitaly McLain twistah at ...93...
Wed Aug 2 21:28:40 EDT 2000


Hello Snorters, (Note to mail filters: I am not reffering to anything drug
related :-])

I am having a problem with snort segfaulting when it reads the rules file.
To explain what exactly I did would take up too much time, so here is the
skinny:

I have a modem + PPP connection, so my IP changes everytime I dialup. The
script on snort.org doesn't work for me: 1) It doesn't look for the IP on
the PPP interface 2) It looks for an IP in the rules file to replace, but
after it replaced that IP, it doesn't know what to look for the next time.
Get my drift? If not, I'll explain it when I release my script...
So, being a good UNIX user, I wrote a BASH script that would store an IP in
a file, and when it's loaded the next time, it would read the IP from the
file, look for THAT in the rules file, and replace it with a new IP (and
start snort, etc).

Well, it works. Sort of. Here is my problem: the IP gets replaced fine, but
when snort reads the file after the replace, I just get:
Segmentation Fault. [when it gets to the part of reading in the file]
No core, so I can't rub gdb on that. I am not familiar with debuggers, so if
anyone wants me to run gdb/strace/etc on snort, tell me the commands to use.

I tried everything I could think of, but I am not sure why it's segfaulting.
I don't want to post the script yet, but I will if it's needed. The heart of
it is this:
REGEX=s\/$OIP\\/$MASK/$MYIP\\/$MASK/g

Later on, this is done:
cat $SNORTDIR/$RULESFILE | sed $REGEX > $SNORTDIR/$RULESFILE

Everything SEEMS to work (the variables are fine, etc), as the IP seems to
be replaced fine. I could have missed something: last time I played with
this, it was 3:00am.

So if anyone can offer a snort patch, a better script, etc please post.
Sorry for the long message.

My setup:
Linux Slackware 7 (kernel 2.2.13, I should upgrade :)
External Interface: ppp0
GNU bash, version 2.03.0(1)-release (i386-slackware-linux-gnu)
GNU sed version 3.02

Thanks in advance,
Vitaly McLain
twistah at ...93...






More information about the Snort-users mailing list