[Snort-devel] about BPF filter for snort

Jerry Zhang jerry3558 at ...2499...
Sat May 24 23:56:41 EDT 2008


hi guys,

I am trying to use BPF filter in the snort (snort ..... -F bpf_file).

My bpf_file is like this:

---------------------------------------
(host 192.168.1.1) or
(host 192.168.1.10) or
(host x.x.x.x) or
........
(net 192.111) or
(net 192.112) or
.........
(host y.y.y.y)
........
........
---------------------------------------


Everything works fine if the number of rules is small, for example the
number of rules is 10.

However, when the number of rules increases a lot, for example, when the
number of rules is 20,000, I got the error message as:

------------------------------------------------------------------
ERROR: OpenPcap() FSM compilation failed:
        malloc
------------------------------------------------------------------

I tried to aggregate some of the rules from "host" to "net" but it does not
reduce the number of rules a lot because of my application requirement.

So my question is that:

1. How can I solve this problem by configuring snort?

2. Or is there any way to solove this problem by configuring the System? (I
am using ubuntu)


Thanks for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080524/e0ed13a4/attachment.html>


More information about the Snort-devel mailing list