OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: [snort] 1.6-beta11 available [CVS & WWW]
From: CyberPsychotic (fygraveepr0.org)
Date: Tue Mar 07 2000 - 12:47:36 CST

~ :What's new in 1.6-beta11? I'm working a little on this mainframe
~ :communication problem right now (remotely) but plan to be on-site tomorrow.
~ :I could give it a try and flip back and forth between 1.5.2 and 1.6-beta11
~ :if there are problems.
~ :
~ :One thing I noticed in 1.5.2 is that the -e option doesn't work on a token
~ :ring network (it dumps core)...and maybe it's not supposed to. One place,
~ :that is called the 'ethernet header' option.

it's not supposed to. There are no ethernet frames in TokenRing. There are
tokenring frames. ;-) PrintEthHeader in log.c looks at eh (ethernet
header) value which is only set when Ethernet datalink is being processed.
We actually could fix it in 2 ways:

1. We could give a warning that -e could be used with ethernet datalink
types and ignore it.
2. We could add extra sanity check to PrintEthHeader to ignore the call,
if eh is NULL
3. I could rewrite abit DecodeTRPacket to form some sort of ethernet
header. There are actually also srcaddr and dstaddr mac addresses in
tokenring header which I could just pull into eh structure.

 Let me know which one you find more apropriate :)