[Snort-users] BUG of "config bpf_file"

Phil Wood cpw at ...440...
Wed May 1 14:31:11 EDT 2002


You are correct!  I was running a more recent version 1.9dev.

I suggest you use the command line until the 1.9 is available.  Of
course you can always go with the bleeding edge like I do.  But, then
there are possibly more serious problems to contend with.   %^)

Later,

On Wed, May 01, 2002 at 11:41:53PM +0800, Peng Yong wrote:
> > On Wed, May 01, 2002 at 04:07:26PM +0800, Peng Yong wrote:
> > > 
> > > i have a flowing line in snort.conf:
> > > 
> > > config bpf_file: snort.bpf
> > > 
> > > and the content of snort.bpf:
> > > 
> > > tcp port 80
> > > 
> > > 
> > > but bpf_file config in snort rules file can't set filter to bpf.
> > > 
> > > i check the code in snort.c and find snort pcap_compile the filter
> > > before parse the snort.bpf.
> > Not in my version.  Try using gdb and set a breakpoint just before the
> > pcap_setfilter call and look at the contents of pv.pcap_cmd.  If it's
> > still null, you probably need to upgrade to a current snort.
> > > 
> 
> I have debuged snort by gdb before i send last email.
> 
> the pv.pcap_cmd is null when i set it in the rule file. it is ok when i
> set it in the command line.
> 
> i also compiled a debug version of snort by:
> 
>  ./configure --enable-debug
> 
> and the debug informantion also report same information.
> 
> I have testing 1.8.6 and latest source from CVS.
> 
> --
> Peng Yong                     Email: ppyy at ...5444...
> Bentium Ltd.                  URL: http://www.cn99.com

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list