[Snort-users] Re: [Snort-announce] run snort on GRE tunnel interface?

Martin Roesch roesch at ...1935...
Tue Jun 26 16:35:19 EDT 2001


Snort doesn't support GRE decoding yet, so it won't run on a GRE
interface.  The segfault is incidental to the shutdown process,
something we have to clean up, but even if we cleaned that up it
wouldn't run.  I've been planning on adding GRE decoding for a while,
but if you want/need it before I get to it, adding decoders to Snort
isn't especially hard.  If you want to take a shot at it, feel free (and
also feel free to ask any questions you might have about the process).

     -Marty

Andreas Dembach wrote:
> 
> Hi,
> 
> snort version 1.7 SEGFAULTS if told to listen on a GRE tunnel interface:
> 
> -----------------------
> # snort -h xx.xx.xx.xx/24 -c /etc/snort/snort.conf
> -S"HOME_NET=xx.xx.xx.xx/24"     -l /var/log/snort -b -d -u snort -g snort
> -s -i gre0
> Initializing Network Interface gre0
> Warning: arptype 778 not supported by libpcap - falling back to cooked
> socket
> 
> snort cannot handle data link type 113
> Exiting...
> Segmentation fault
> #
> -------------------------------
> 
> Is this a snort problem or one of libpcap? tcpdump complains (but works
> anyway):
> 
> >Warning: arptype 778 not supported by libpcap - falling back to cooked
> socket
> >tcpdump: listening on gre0
> 
> Im am running on linux with a 2.2.17 kernel and libpcap0 0.6.2-1
> 
> Any ideas or comments?
> 
> Andreas Dembach
> 
> _______________________________________________
> Snort-announce mailing list
> Snort-announce at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-announce

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list