[Snort-users] Snort -T and -K in 2.4.1

Martin Roesch roesch at ...1935...
Mon Sep 19 07:31:03 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hm, that's weird.  What platform?  Can you look at the BUGS file and  
fill in the blanks on the info we need to diagnose it?

      -Marty

On Sep 17, 2005, at 9:48 PM, Zultan wrote:

> Has anyone else noticed this?
>
> In version 2.4.1, -T runs as before 2.4.0, but it now wants a "-K  
> ascii" or a "-K none". "-K pcap" or no -K at all fails, regardless  
> of the output line in snort.conf. For example...
>
> "snort -Toc /etc/snort/snort.conf"
> or...
> "snort -K pcap -Tc /etc/snort/snort.conf"
>
> fails with this
>
>
> | gen-id=1      sig-id=2001580    type=Both      tracking=src  
> count=200 seconds=60
> | gen-id=1      sig-id=3543       type=Threshold tracking=src  
> count=5   seconds=2
> | gen-id=1      sig-id=2001553    type=Threshold tracking=src  
> count=100 seconds=60
> +----------------------- 
> [suppression]------------------------------------------
> | none
> ---------------------------------------------------------------------- 
> ---------
> Rule application order: ->pass->activation->dynamic->alert->log->drop
> Log directory = /var/log/snort
> Segmentation fault
>
> ###################
>
> However these finish normally.
>
> "snort -K none -Tc /etc/snort/snort.conf"
> or...
> "snort -K ascii -Tc /etc/snort/snort.conf"
>
> returns this
>
>
> Snort sucessfully loaded all rules and checked all rule chains!
> Final Flow Statistics
> ,----[ FLOWCACHE STATS ]----------
> Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
> Overhead blocks: 1 Could Hold: (0)
> IPV4 count: 0 frees: 0
> low_time: 0, high_time: 0, diff: 0h:00:00s
>     finds: 0 reversed: 0(%0.000000)
>     find_sucess: 0 find_fail: 0
> percent_success: (%0.000000) new_flows: 0
> Snort exiting
>
>
>
>
> -- 
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.  
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDLstsqj0FAQQ3KOARAmnfAJ9BrA8Hxon3PblQXEfjH0BzBPOFkQCfVPNM
iAgmdKSg7fzvhTNjvxvGIx0=
=oXAE
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list