Re: use of BPF in 1.8.7beta6 might be broken

[Chris Green <cmg () sourcefire com>]

"Michael Scheidell" <scheidell () secnap net> writes:

> Might be two problems with bpf filter usage in snort 1.8.7beta6
>
> Problem one (already reported)
> HUP does not release the fd that opened the bpf filter
> check with lsof, one fd open for /usr/local/share/snort/snort.bpf

Seems to just be a missing close(fd) in read_infile, just committed,
see what do you see?


> SIGHUP snort, two fds, same file.
>
> SECOND PROBLEM:
> doesn't work.
> Yep, snort won't log anything except spp_stream4 stuff if I use a bpf
> filter.

It seems to work just fine with a BPF filter here and just leaks the
FD on Linux. I'll try tommorrow on BSD and see what happens

do you get the same thing when you specify the pcap on the command line?

> FREEBSD 4.5.
> -*> Snort! <*-
> Version 1.8.7beta6 (Build 121)
>
> /usr/local/bin/snort -doDI -m 022 -z \
> -F /usr/local/share/snort/snort.bpf \
> -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort
>
> remove the -F line, all is fine.
> bpf file:
> cat /usr/local/share/snort/snort.bpf
> not src host 10.1.1.10
-- 
Chris Green <cmg () sourcefire com>
"I'm beginning to think that my router may be confused."

_______________________________________________________________

Multimillion Dollar Computer Inventory
Live Webcast Auctions Thru Aug. 2002 - http://www.cowanalexander.com/calendar



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users