[Snort-users] My script works, but snort segfaults :(
bctavern at ...244...
bctavern at ...244...
Thu Aug 3 10:33:01 EDT 2000
I have snort running on a Slackware 7.0 machine with ADSL running on
pppoe. I have the script from the website set up and works great for me.
It reads from the ppp0 interface, figures out the IP, and starts snort. If
the IP changes, it re-runs the script and re-starts snort. It has been
working flawlessly for over a month now. Let me know if I can help you out
with a setup or something.
At 08:28 PM 8/2/00 -0500, you wrote:
>Hello Snorters, (Note to mail filters: I am not reffering to anything drug
>I am having a problem with snort segfaulting when it reads the rules file.
>To explain what exactly I did would take up too much time, so here is the
>I have a modem + PPP connection, so my IP changes everytime I dialup. The
>script on snort.org doesn't work for me: 1) It doesn't look for the IP on
>the PPP interface 2) It looks for an IP in the rules file to replace, but
>after it replaced that IP, it doesn't know what to look for the next time.
>Get my drift? If not, I'll explain it when I release my script...
>So, being a good UNIX user, I wrote a BASH script that would store an IP in
>a file, and when it's loaded the next time, it would read the IP from the
>file, look for THAT in the rules file, and replace it with a new IP (and
>start snort, etc).
>Well, it works. Sort of. Here is my problem: the IP gets replaced fine, but
>when snort reads the file after the replace, I just get:
>Segmentation Fault. [when it gets to the part of reading in the file]
>No core, so I can't rub gdb on that. I am not familiar with debuggers, so if
>anyone wants me to run gdb/strace/etc on snort, tell me the commands to use.
>I tried everything I could think of, but I am not sure why it's segfaulting.
>I don't want to post the script yet, but I will if it's needed. The heart of
>it is this:
>Later on, this is done:
>cat $SNORTDIR/$RULESFILE | sed $REGEX > $SNORTDIR/$RULESFILE
>Everything SEEMS to work (the variables are fine, etc), as the IP seems to
>be replaced fine. I could have missed something: last time I played with
>this, it was 3:00am.
>So if anyone can offer a snort patch, a better script, etc please post.
>Sorry for the long message.
>Linux Slackware 7 (kernel 2.2.13, I should upgrade :)
>External Interface: ppp0
>GNU bash, version 2.03.0(1)-release (i386-slackware-linux-gnu)
>GNU sed version 3.02
>Thanks in advance,
>twistah at ...93...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
More information about the Snort-users