Re: Network Variables

["Seth Dunn" <seth () d2ms com>]

What is DAQ?  I have seen that, but have no idea what that is.

As far as my bpf file goes, if it is like this::

 

#not net 10.10.0.0/24 and not net 10.30.0.0/24

not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net
10.30.0.0/24 and dst host 10.75.45.1 && dst port 80


It will fail with:: 

Reading filter from bpf file: D:\Snort\etc\ignore2.bpf

ERROR: short read D:\Snort\etc\ignore2.bpf (169 != 170)

Fatal Error, Quitting..

 

If I remove the commented line, then snort starts fine.
If I try to have multiple lines in the file, (all being rules, no
comments) the it will fail with a similar error as above.
I have never seen a DAQ error.

 

From: Russ Combs [mailto:rcombs () sourcefire com] 
Sent: Thursday, May 02, 2013 12:08 AM
To: waldo kitty
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Network Variables

 

Snort does allow comments in the BPF file, starting with # to end of
line.  If there is a syntax error, you should see something like:

 

ERROR: Can't set DAQ BPF filter to '

...      

' (pcap_daq_set_filter: pcap_compile: syntax error)!

Fatal Error, Quitting..

 

What DAQ are you using?  Please send the BPF file that fails and the
error that you get.

 

On Wed, May 1, 2013 at 10:07 PM, waldo kitty <wkitty42 () windstream net>
wrote:

On 5/1/2013 13:09, Seth Dunn wrote:
> But any ideas why snort fails to start if I add in a '#' to comment a
> line??

i have no clue but it sounds like a coding error not allowing comment
lines i
the BPF file... only joel or one of the snort dev guys can tell us
that... or
possibly a code diver who can root around in the snort code ;)


--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------
------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

 

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!