Snort mailing list archives
Re: use of BPF in 1.8.7beta6 might be broken
From: Chris Green <cmg () sourcefire com>
Date: Tue, 11 Jun 2002 23:44:53 -0400
"Michael Scheidell" <scheidell () secnap net> writes:
Might be two problems with bpf filter usage in snort 1.8.7beta6 Problem one (already reported) HUP does not release the fd that opened the bpf filter check with lsof, one fd open for /usr/local/share/snort/snort.bpf
Seems to just be a missing close(fd) in read_infile, just committed, see what do you see?
SIGHUP snort, two fds, same file. SECOND PROBLEM: doesn't work. Yep, snort won't log anything except spp_stream4 stuff if I use a bpf filter.
It seems to work just fine with a BPF filter here and just leaks the FD on Linux. I'll try tommorrow on BSD and see what happens do you get the same thing when you specify the pcap on the command line?
FREEBSD 4.5. -*> Snort! <*- Version 1.8.7beta6 (Build 121) /usr/local/bin/snort -doDI -m 022 -z \ -F /usr/local/share/snort/snort.bpf \ -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort remove the -F line, all is fine. bpf file: cat /usr/local/share/snort/snort.bpf not src host 10.1.1.10
-- Chris Green <cmg () sourcefire com> "I'm beginning to think that my router may be confused." _______________________________________________________________ Multimillion Dollar Computer Inventory Live Webcast Auctions Thru Aug. 2002 - http://www.cowanalexander.com/calendar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- use of BPF in 1.8.7beta6 might be broken Michael Scheidell (Jun 09)
- Re: use of BPF in 1.8.7beta6 might be broken Chris Green (Jun 11)