[Snort-devel] Patch to allow newlines in BPF filter file

snort-devel at ...3691... snort-devel at ...3691...
Sun Apr 30 19:52:02 EDT 2017


Our BPF filter is rather long with about 70 combined expressions. We currently have to keep all of that on one line otherwise the bps filter that read in doesn’t properly handle the newlines (it does something like '!host 1.2.3.4%012’ and functionally doesn’t work right). We’d like to make the file more readable by better handling newlines as well as better handling comments. The idea is to convert all newlines to spaces the same way as comments are currently handled. While it adds a lot of extra whitespace in the BPF filter, spaces seem to be handled appropriately. A sample file would look like:

# Comment 1
!host 1.2.3.4 &&
!host 2.3.4.5 &&

# Comment 2
!host 3.4.5.6

I’ve included a patch which appears to work. It is built against the downloadable 2.9.9.0 version found on the webpage (I couldn’t find a CVS repository to get the latest snort version from). Would you be willing to accept the patch and add it to a future version of Snort? 

Please feel free to rewrite it completely or otherwise provide feedback. I’m not the best C coder.
Thanks,
Scott

[]$ diff -ru snort-2.9.9.0.orig snort-2.9.9.0
diff -ru snort-2.9.9.0.orig/src/util.c snort-2.9.9.0/src/util.c
--- snort-2.9.9.0.orig/src/util.c       2016-06-07 07:47:48.000000000 +0000
+++ snort-2.9.9.0/src/util.c    2017-04-28 15:11:19.110669851 +0000
@@ -1382,13 +1382,18 @@
      *  so that we can put comments in our BPF filters
      */
 
-    while((cmt = strchr(cp, '#')) != NULL)
-    {
-        while (*cmt != '\r' && *cmt != '\n' && *cmt != '\0')
-        {
-            *cmt++ = ' ';
+    cmt = cp;
+    while ( *cmt != '\0' ) {
+        if ( *cmt == '#' ) {
+            while (*cmt != '\r' && *cmt != '\n' && *cmt != '\0') {
+                *cmt++ = ' ';
+            }
         }
-    }
+        if ( *cmt == '\r' || *cmt == '\n' ) {
+            *cmt = ' ';
+        }
+        cmt++;
+    }
 
     /** LogMessage("BPF filter file: %s\n", fname); **/
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170430/cb2d49ad/attachment.html>


More information about the Snort-devel mailing list