[Oisf-users] "suricata: double free or corruption" when I use bpf filter

carlopmart carlopmart at gmail.com
Wed Nov 9 17:20:30 UTC 2011

On 11/09/2011 06:04 PM, Victor Julien wrote:
> On 11/09/2011 05:51 PM, carlopmart wrote:
>>> Can you try the attached patch?
>> Apply patch works well and compilation too ... Starting suricata:
>> root at eorlingas:~# suricata -c /data/config/etc/suricata/suricata.yaml -i
>> eth8 -F /data/config/etc/suricata/bpf.conf
>> [21899] 9/11/2011 -- 16:48:26 - (runmode-pcap.c:140)<Info>
>> (ParsePcapConfig) -- BPF filter set from command line or via old
>> 'bpf-filter' option.
>>    ... uhmm, why is saying "BPF filter set from command line or via old
>> 'bpf-filter' option."??
> I agree the output is confusing. What I think is happening is that you
> can set a bpf filter in the config (suricata.yaml). If you add it on the
> commandline, like you did, it will tell you it uses that instead of the
> one in the config.
>>    Anyway, seems it works ... Yes, works. Suricata only sees http traffic ...
> Cool, thanks for your report!

Uhmmm ... but no alerts are displayed. For example, I configure 
rbn.rules and I execute:

[carlos at desktop etc]$ telnet 80
Connected to
Escape character is '^]'.
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
<address>Microsoft-IIS/5.0 Server at mybookmake.co.kr Port 80</address>
Connection closed by foreign host. appears in rbn.rules (and it is configured under rules 
section on suricata.yaml) file, but suricata doesn't fire any alarm ... 

CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list