Snort mailing list archives
Re: max bpf filter size?
From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 18 Jul 2010 21:34:53 -0400
On Sun, Jul 18, 2010 at 8:03 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
Hi there Simple question: I have a large-and-growing BPF filter, and am getting nervous I'm going to hit some maximum size at some time. I'm already doing it by putting the filter into a file (ie it's not shell-bound), but I'm guessing there's some limit? Also, I'm doing this with both snort and daemonlogger, so don't know if there are application-specific limits that are different from pcap library limits?
Hi Jason, Daemonlogger will read up to the filesize returned by stat(2) when you're loading from a file. When reading from the shell you're only limited by the max shell command size and libpcap. It looks like Snort works the same way just perusing Snort 2.8.6. I'm not sure what libpcap's limit on filter size is but I imagine it's quite large (megabytes?). Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- max bpf filter size? Jason Haar (Jul 18)
- Re: max bpf filter size? Martin Roesch (Jul 18)