[Snort-devel] about BPF filter for snort

Jerry Zhang jerry3558 at ...2499...
Mon May 26 15:28:27 EDT 2008


Hi,

Sorry for the confusion. Here the "rule" is for the "entry" of BPF.

What I want to do is that I just want to monitor the traffic related to the
hosts (both internal and external) I am interested in and so it sometimes
makes the size of the BPF table big.

And what is the limitation of the number of BPF entries?

Thanks for your response!


2008/5/26 Leon Ward <seclists at ...2967...>:

> Lets define "rule" here so we can correctly understand what's occurring:  rule
> = a Snort detection definition (those things in the filename.rules files)Do
> you receive an error when there are too many rules, or when your BPF
> definition hits a specific size?
>
> - If it's BPF size:
> Let's take a step back briefly.
> What are you trying to achieve? There may be a better way of getting to
> your goal without a 20,000 line BPF.
>
> - If it's rule size:
> How much memory is in your sensor?
> What search method are you using?
> What do these rules do? I assume that a large percentage are custom, it's
> rare that a single sensor needs to run 20,000 rules.
>
> -Leon
>
> On 26 May 2008, at 18:08, Justin Mitchell wrote:
>
> How much memory do you have? What version of Snort? Seems unrelated to your
> BPF and specific to the number of rules you're attempting to load.
>
> On Sat, May 24, 2008 at 11:56 PM, Jerry Zhang <jerry3558 at ...2499...> wrote:
>
>> hi guys,
>>
>> I am trying to use BPF filter in the snort (snort ..... -F bpf_file).
>>
>> My bpf_file is like this:
>>
>> ---------------------------------------
>> (host 192.168.1.1) or
>> (host 192.168.1.10) or
>> (host x.x.x.x) or
>> ........
>> (net 192.111) or
>> (net 192.112) or
>> .........
>> (host y.y.y.y)
>> ........
>> ........
>> ---------------------------------------
>>
>>
>> Everything works fine if the number of rules is small, for example the
>> number of rules is 10.
>>
>> However, when the number of rules increases a lot, for example, when the
>> number of rules is 20,000, I got the error message as:
>>
>> ------------------------------------------------------------------
>> ERROR: OpenPcap() FSM compilation failed:
>>         malloc
>> ------------------------------------------------------------------
>>
>> I tried to aggregate some of the rules from "host" to "net" but it does
>> not reduce the number of rules a lot because of my application requirement.
>>
>> So my question is that:
>>
>> 1. How can I solve this problem by configuring snort?
>>
>> 2. Or is there any way to solove this problem by configuring the System?
>> (I am using ubuntu)
>>
>>
>> Thanks for your help.
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
>
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080526/e7b055e6/attachment.html>


More information about the Snort-devel mailing list