[Snort-devel] about BPF filter for snort

Leon Ward seclists at ...2967...
Mon May 26 14:19:15 EDT 2008


Lets define "rule" here so we can correctly understand what's occurring:
	rule = a Snort detection definition (those things in the  
filename.rules files)
Do you receive an error when there are too many rules, or when your  
BPF definition hits a specific size?

- If it's BPF size:
Let's take a step back briefly.
What are you trying to achieve? There may be a better way of getting  
to your goal without a 20,000 line BPF.

- If it's rule size:
How much memory is in your sensor?
What search method are you using?
What do these rules do? I assume that a large percentage are custom,  
it's rare that a single sensor needs to run 20,000 rules.

-Leon

On 26 May 2008, at 18:08, Justin Mitchell wrote:

> How much memory do you have? What version of Snort? Seems unrelated  
> to your BPF and specific to the number of rules you're attempting to  
> load.
>
> On Sat, May 24, 2008 at 11:56 PM, Jerry Zhang <jerry3558 at ...2499...>  
> wrote:
> hi guys,
>
> I am trying to use BPF filter in the snort (snort ..... -F bpf_file).
>
> My bpf_file is like this:
>
> ---------------------------------------
> (host 192.168.1.1) or
> (host 192.168.1.10) or
> (host x.x.x.x) or
> ........
> (net 192.111) or
> (net 192.112) or
> .........
> (host y.y.y.y)
> ........
> ........
> ---------------------------------------
>
>
> Everything works fine if the number of rules is small, for example  
> the number of rules is 10.
>
> However, when the number of rules increases a lot, for example, when  
> the number of rules is 20,000, I got the error message as:
>
> ------------------------------------------------------------------
> ERROR: OpenPcap() FSM compilation failed:
>         malloc
> ------------------------------------------------------------------
>
> I tried to aggregate some of the rules from "host" to "net" but it  
> does not reduce the number of rules a lot because of my application  
> requirement.
>
> So my question is that:
>
> 1. How can I solve this problem by configuring snort?
>
> 2. Or is there any way to solove this problem by configuring the  
> System? (I am using ubuntu)
>
>
> Thanks for your help.
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080526/f789cb5e/attachment.html>


More information about the Snort-devel mailing list