[Snort-users] compiling with --enable-inline impacts non-inline sniffing

Dan Weber weberdan at ...11827...
Tue Mar 30 17:22:59 EDT 2010


I configure snort like this: ./configure --enable-ipv6 \
 --enable-dynamicplugin --enable-inline --enable-ipfw \
 --with-libnet-includes=/usr/local/include/libnet-1.0 \
 --with-libnet-libraries=/usr/local/lib/libnet-1.0

I compile, then run snort like this:

snort -i lo -c snort.conf

where "snort.conf" is an empty file. And it reads from a different
interface, not lo.

Looking in the source, things are okay in the SnortConfigso bad in
MergeSnortConfs(), which I
think is there to merge the configuration on my command line with
whatever is read from the configuration file. Around line 4620
is this:

#if defined(GIDS) && defined(IPFW)
 config_file->divert_port = cmd_line->divert_port;

 if (config_file->interface != NULL)
 {
 free(config_file->interface);
 config_file->interface = NULL;
 }
#endif

If I'm understanding it correctly, this erases the interface in the
config_file if it exists, even if I'm not in inline mode.  I'm not
sure what test should be there, but this doesn't seem right.

snort still sniffs, but it sniffs the "default interface" as determined
by libpcap, instead of what was on the command line.

Tested on both 2.8.5.2 and 2.8.5.3, as well as the 2.8.6.rc.




More information about the Snort-users mailing list