Snort mailing list archives
Patch to allow newlines in BPF filter file
From: snort-devel () scottsavarese com
Date: Sun, 30 Apr 2017 19:52:02 -0400
Our BPF filter is rather long with about 70 combined expressions. We currently have to keep all of that on one line otherwise the bps filter that read in doesn’t properly handle the newlines (it does something like '!host 1.2.3.4%012’ and functionally doesn’t work right). We’d like to make the file more readable by better handling newlines as well as better handling comments. The idea is to convert all newlines to spaces the same way as comments are currently handled. While it adds a lot of extra whitespace in the BPF filter, spaces seem to be handled appropriately. A sample file would look like: # Comment 1 !host 1.2.3.4 && !host 2.3.4.5 && # Comment 2 !host 3.4.5.6 I’ve included a patch which appears to work. It is built against the downloadable 2.9.9.0 version found on the webpage (I couldn’t find a CVS repository to get the latest snort version from). Would you be willing to accept the patch and add it to a future version of Snort? Please feel free to rewrite it completely or otherwise provide feedback. I’m not the best C coder. Thanks, Scott []$ diff -ru snort-2.9.9.0.orig snort-2.9.9.0 diff -ru snort-2.9.9.0.orig/src/util.c snort-2.9.9.0/src/util.c --- snort-2.9.9.0.orig/src/util.c 2016-06-07 07:47:48.000000000 +0000 +++ snort-2.9.9.0/src/util.c 2017-04-28 15:11:19.110669851 +0000 @@ -1382,13 +1382,18 @@ * so that we can put comments in our BPF filters */ - while((cmt = strchr(cp, '#')) != NULL) - { - while (*cmt != '\r' && *cmt != '\n' && *cmt != '\0') - { - *cmt++ = ' '; + cmt = cp; + while ( *cmt != '\0' ) { + if ( *cmt == '#' ) { + while (*cmt != '\r' && *cmt != '\n' && *cmt != '\0') { + *cmt++ = ' '; + } } - } + if ( *cmt == '\r' || *cmt == '\n' ) { + *cmt = ' '; + } + cmt++; + } /** LogMessage("BPF filter file: %s\n", fname); **/
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Patch to allow newlines in BPF filter file snort-devel (Apr 30)