[Oisf-users] "suricata: double free or corruption" when I use bpf filter
carlopmart
carlopmart at gmail.com
Wed Nov 9 17:20:30 UTC 2011
On 11/09/2011 06:04 PM, Victor Julien wrote:
> On 11/09/2011 05:51 PM, carlopmart wrote:
>>> Can you try the attached patch?
>>>
>>
>> Apply patch works well and compilation too ... Starting suricata:
>>
>> root at eorlingas:~# suricata -c /data/config/etc/suricata/suricata.yaml -i
>> eth8 -F /data/config/etc/suricata/bpf.conf
>> [21899] 9/11/2011 -- 16:48:26 - (runmode-pcap.c:140)<Info>
>> (ParsePcapConfig) -- BPF filter set from command line or via old
>> 'bpf-filter' option.
>
>>
>> ... uhmm, why is saying "BPF filter set from command line or via old
>> 'bpf-filter' option."??
>
> I agree the output is confusing. What I think is happening is that you
> can set a bpf filter in the config (suricata.yaml). If you add it on the
> commandline, like you did, it will tell you it uses that instead of the
> one in the config.
>
>> Anyway, seems it works ... Yes, works. Suricata only sees http traffic ...
>
> Cool, thanks for your report!
>
Uhmmm ... but no alerts are displayed. For example, I configure
rbn.rules and I execute:
[carlos at desktop etc]$ telnet 118.218.219.178 80
Trying 118.218.219.178...
Connected to 118.218.219.178.
Escape character is '^]'.
get
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Microsoft-IIS/5.0 Server at mybookmake.co.kr Port 80</address>
</body></html>
Connection closed by foreign host.
118.218.219.178 appears in rbn.rules (and it is configured under rules
section on suricata.yaml) file, but suricata doesn't fire any alarm ...
Why??
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list