use of BPF in 1.8.7beta6 might be broken

["Michael Scheidell" <scheidell () secnap net>]

Might be two problems with bpf filter usage in snort 1.8.7beta6

Problem one (already reported)
HUP does not release the fd that opened the bpf filter
check with lsof, one fd open for /usr/local/share/snort/snort.bpf

SIGHUP snort, two fds, same file.

SECOND PROBLEM:
doesn't work.
Yep, snort won't log anything except spp_stream4 stuff if I use a bpf
filter.


FREEBSD 4.5.
-*> Snort! <*-
Version 1.8.7beta6 (Build 121)

/usr/local/bin/snort -doDI -m 022 -z \
-F /usr/local/share/snort/snort.bpf \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort

remove the -F line, all is fine.
bpf file:
cat /usr/local/share/snort/snort.bpf
not src host 10.1.1.10

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell () secnap net
http://www.secnap.net


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users