[Snort-users] Segfault on fun funy rule
erek at ...950...
Wed Feb 25 22:24:06 EST 2004
On Wed, 25 Feb 2004, Jason Monroe "JC" wrote:
> Downloaded 2.1.1 built it against Fedora Core 1
> pcre 4.4
> Have rule in local.rules that causes breakage
> alert tcp any any -> any any (msg:"Telnet login as
> I mistakenly typed a ":" instead of "," between the flow statement
> When I correct the rule snort is able to init correctly :)
> (the glass is half full)
Good. :) Don't type that. :)
Your problem below isn't the same--It's different.
> I looked at the FAQ said DO GDB so here it is
> [root at ...11312... root]# gdb snort
> GNU gdb Red Hat Linux (5.3.90-0.20030710.41rh)
> (gdb) run snort -T -v -c /etc/snort/snort.conf
> Starting program: /opt/snort/bin/snort snort -T -v -c
> Running in IDS mode
> Log directory = /var/log/snort
> Initializing Network Interface eth0
> ERROR: OpenPcap() FSM compilation failed:
> syntax error
> PCAP command: snort
> Fatal Error, Quitting..
> Program exited with code 01.
> (gdb) where
> No stack.
> (gdb) bt
> No stack.
Makes perfect sense. :)
Instead of "run snort ...." try just "run <options>" without the word
'snort'. Libpcap is seeing that and trying to interpret it as a BPF style
filter, hence the syntax error with OpenPcap.
"It looks just like a Telefunken U-47. You'll love it..." -- Frank Zappa
More information about the Snort-users