[Snort-devel] about BPF filter for snort

Justin Mitchell tcpandip at ...2499...
Mon May 26 13:08:01 EDT 2008


How much memory do you have? What version of Snort? Seems unrelated to your
BPF and specific to the number of rules you're attempting to load.

On Sat, May 24, 2008 at 11:56 PM, Jerry Zhang <jerry3558 at ...2499...> wrote:

> hi guys,
>
> I am trying to use BPF filter in the snort (snort ..... -F bpf_file).
>
> My bpf_file is like this:
>
> ---------------------------------------
> (host 192.168.1.1) or
> (host 192.168.1.10) or
> (host x.x.x.x) or
> ........
> (net 192.111) or
> (net 192.112) or
> .........
> (host y.y.y.y)
> ........
> ........
> ---------------------------------------
>
>
> Everything works fine if the number of rules is small, for example the
> number of rules is 10.
>
> However, when the number of rules increases a lot, for example, when the
> number of rules is 20,000, I got the error message as:
>
> ------------------------------------------------------------------
> ERROR: OpenPcap() FSM compilation failed:
>         malloc
> ------------------------------------------------------------------
>
> I tried to aggregate some of the rules from "host" to "net" but it does not
> reduce the number of rules a lot because of my application requirement.
>
> So my question is that:
>
> 1. How can I solve this problem by configuring snort?
>
> 2. Or is there any way to solove this problem by configuring the System? (I
> am using ubuntu)
>
>
> Thanks for your help.
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080526/ebadabb8/attachment.html>


More information about the Snort-devel mailing list