[Snort-users] compiling with --enable-inline impacts non-inline sniffing
twease at ...1935...
Tue Mar 30 20:32:42 EDT 2010
On 03/30/2010 05:22 PM, Dan Weber wrote:
> I configure snort like this: ./configure --enable-ipv6 \
> --enable-dynamicplugin --enable-inline --enable-ipfw \
> --with-libnet-includes=/usr/local/include/libnet-1.0 \
> I compile, then run snort like this:
> snort -i lo -c snort.conf
> where "snort.conf" is an empty file. And it reads from a different
> interface, not lo.
> Looking in the source, things are okay in the SnortConfigso bad in
> MergeSnortConfs(), which I
> think is there to merge the configuration on my command line with
> whatever is read from the configuration file. Around line 4620
> is this:
> #if defined(GIDS)&& defined(IPFW)
> config_file->divert_port = cmd_line->divert_port;
> if (config_file->interface != NULL)
> config_file->interface = NULL;
> If I'm understanding it correctly, this erases the interface in the
> config_file if it exists, even if I'm not in inline mode. I'm not
> sure what test should be there, but this doesn't seem right.
> snort still sniffs, but it sniffs the "default interface" as determined
> by libpcap, instead of what was on the command line.
> Tested on both 126.96.36.199 and 188.8.131.52, as well as the 2.8.6.rc.
Thanks for the report. Definitely looks like a bug. It should probably
be doing an inline check before freeing the interface - if inline, free
it, else don't. Maybe something like:
if ((config_file->run_flags & RUN_FLAG__INLINE) &&
(config_file->interface != NULL))
config_file->interface = NULL;
I'll be creating a bug for the issue.
More information about the Snort-users