[Snort-devel] about BPF filter for snort

Leon Ward seclists at ...2967...
Mon May 26 16:39:30 EDT 2008


Hi.

Snort rules consist of two sections:
  - A rule body, it defines what Snort looks for in the traffic stream
  - A rule header, it defines what traffic is assed for attacks.

Rather than use a BPF, look at tuning your variables as this controls  
the key elements of the rule headers. This therefore controls what  
traffic is inspected.
I have heard that complicated BPF's may also impact performance  
(although I have not tested this myself).

-Leon

On 26 May 2008, at 20:28, Jerry Zhang wrote:

> Hi,
>
> Sorry for the confusion. Here the "rule" is for the "entry" of BPF.
>
> What I want to do is that I just want to monitor the traffic related  
> to the hosts (both internal and external) I am interested in and so  
> it sometimes makes the size of the BPF table big.
>
> And what is the limitation of the number of BPF entries?
>
> Thanks for your response!
>
>
> 2008/5/26 Leon Ward <seclists at ...2967...>:
> Lets define "rule" here so we can correctly understand what's  
> occurring:
> 	rule = a Snort detection definition (those things in the  
> filename.rules files)
> Do you receive an error when there are too many rules, or when your  
> BPF definition hits a specific size?
>
> - If it's BPF size:
> Let's take a step back briefly.
> What are you trying to achieve? There may be a better way of getting  
> to your goal without a 20,000 line BPF.
>
> - If it's rule size:
> How much memory is in your sensor?
> What search method are you using?
> What do these rules do? I assume that a large percentage are custom,  
> it's rare that a single sensor needs to run 20,000 rules.
>
> -Leon
>
> On 26 May 2008, at 18:08, Justin Mitchell wrote:
>
>> How much memory do you have? What version of Snort? Seems unrelated  
>> to your BPF and specific to the number of rules you're attempting  
>> to load.
>>
>> On Sat, May 24, 2008 at 11:56 PM, Jerry Zhang <jerry3558 at ...2499...>  
>> wrote:
>> hi guys,
>>
>> I am trying to use BPF filter in the snort (snort ..... -F bpf_file).
>>
>> My bpf_file is like this:
>>
>> ---------------------------------------
>> (host 192.168.1.1) or
>> (host 192.168.1.10) or
>> (host x.x.x.x) or
>> ........
>> (net 192.111) or
>> (net 192.112) or
>> .........
>> (host y.y.y.y)
>> ........
>> ........
>> ---------------------------------------
>>
>>
>> Everything works fine if the number of rules is small, for example  
>> the number of rules is 10.
>>
>> However, when the number of rules increases a lot, for example,  
>> when the number of rules is 20,000, I got the error message as:
>>
>> ------------------------------------------------------------------
>> ERROR: OpenPcap() FSM compilation failed:
>>         malloc
>> ------------------------------------------------------------------
>>
>> I tried to aggregate some of the rules from "host" to "net" but it  
>> does not reduce the number of rules a lot because of my application  
>> requirement.
>>
>> So my question is that:
>>
>> 1. How can I solve this problem by configuring snort?
>>
>> 2. Or is there any way to solove this problem by configuring the  
>> System? (I am using ubuntu)
>>
>>
>> Thanks for your help.
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080526/e5722df6/attachment.html>


More information about the Snort-devel mailing list