Snort mailing list archives

Patch to allow newlines in BPF filter file

From: snort-devel () scottsavarese com
Date: Sun, 30 Apr 2017 19:52:02 -0400

Our BPF filter is rather long with about 70 combined expressions. We currently have to keep all of that on one line 
otherwise the bps filter that read in doesn’t properly handle the newlines (it does something like '!host 1.2.3.4%012’ 
and functionally doesn’t work right). We’d like to make the file more readable by better handling newlines as well as 
better handling comments. The idea is to convert all newlines to spaces the same way as comments are currently handled. 
While it adds a lot of extra whitespace in the BPF filter, spaces seem to be handled appropriately. A sample file would 
look like:

# Comment 1
!host 1.2.3.4 &&
!host 2.3.4.5 &&

# Comment 2
!host 3.4.5.6

I’ve included a patch which appears to work. It is built against the downloadable 2.9.9.0 version found on the webpage 
(I couldn’t find a CVS repository to get the latest snort version from). Would you be willing to accept the patch and 
add it to a future version of Snort? 

Please feel free to rewrite it completely or otherwise provide feedback. I’m not the best C coder.
Thanks,
Scott

[]$ diff -ru snort-2.9.9.0.orig snort-2.9.9.0
diff -ru snort-2.9.9.0.orig/src/util.c snort-2.9.9.0/src/util.c
--- snort-2.9.9.0.orig/src/util.c       2016-06-07 07:47:48.000000000 +0000
+++ snort-2.9.9.0/src/util.c    2017-04-28 15:11:19.110669851 +0000
@@ -1382,13 +1382,18 @@
      *  so that we can put comments in our BPF filters
      */
 
-    while((cmt = strchr(cp, '#')) != NULL)
-    {
-        while (*cmt != '\r' && *cmt != '\n' && *cmt != '\0')
-        {
-            *cmt++ = ' ';
+    cmt = cp;
+    while ( *cmt != '\0' ) {
+        if ( *cmt == '#' ) {
+            while (*cmt != '\r' && *cmt != '\n' && *cmt != '\0') {
+                *cmt++ = ' ';
+            }
         }
-    }
+        if ( *cmt == '\r' || *cmt == '\n' ) {
+            *cmt = ' ';
+        }
+        cmt++;
+    }
 
     /** LogMessage("BPF filter file: %s\n", fname); **/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Patch to allow newlines in BPF filter file snort-devel (Apr 30)