[Snort-users] use of BPF in 1.8.7beta6 might be broken

Michael Scheidell scheidell at ...5171...
Sun Jun 9 19:42:01 EDT 2002


Might be two problems with bpf filter usage in snort 1.8.7beta6

Problem one (already reported)
HUP does not release the fd that opened the bpf filter
check with lsof, one fd open for /usr/local/share/snort/snort.bpf

SIGHUP snort, two fds, same file.

SECOND PROBLEM:
doesn't work.
Yep, snort won't log anything except spp_stream4 stuff if I use a bpf
filter.


FREEBSD 4.5.
-*> Snort! <*-
Version 1.8.7beta6 (Build 121)

/usr/local/bin/snort -doDI -m 022 -z \
-F /usr/local/share/snort/snort.bpf \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort

remove the -F line, all is fine.
bpf file:
cat /usr/local/share/snort/snort.bpf
not src host 10.1.1.10

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...5171...
http://www.secnap.net





More information about the Snort-users mailing list