[Snort-users] use of BPF in 1.8.7beta6 might be broken

Chris Green cmg at ...1935...
Tue Jun 11 20:43:02 EDT 2002

"Michael Scheidell" <scheidell at ...5171...> writes:

> Might be two problems with bpf filter usage in snort 1.8.7beta6
> Problem one (already reported)
> HUP does not release the fd that opened the bpf filter
> check with lsof, one fd open for /usr/local/share/snort/snort.bpf

Seems to just be a missing close(fd) in read_infile, just committed,
see what do you see?

> SIGHUP snort, two fds, same file.
> doesn't work.
> Yep, snort won't log anything except spp_stream4 stuff if I use a bpf
> filter.

It seems to work just fine with a BPF filter here and just leaks the
FD on Linux. I'll try tommorrow on BSD and see what happens

do you get the same thing when you specify the pcap on the command line?

> FREEBSD 4.5.
> -*> Snort! <*-
> Version 1.8.7beta6 (Build 121)
> /usr/local/bin/snort -doDI -m 022 -z \
> -F /usr/local/share/snort/snort.bpf \
> -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort
> remove the -F line, all is fine.
> bpf file:
> cat /usr/local/share/snort/snort.bpf
> not src host
Chris Green <cmg at ...1935...>
"I'm beginning to think that my router may be confused."

More information about the Snort-users mailing list