[Snort-users] Apology

Phil Wood cpw at ...440...
Thu May 2 08:57:08 EDT 2002


My test of the problem with "config bpf_file:" in snort-1.9dev was inadequate.
The problem is not fixed yet.  The reason why it does not work is that
pcap_compile is called prior to the parsing of the config file.

The workaround is to use the -F flag or or append the filter to the 
command line.

The reasoning stated in the source is that:

  interfaces are being initalized before the config file is read, so some
  plugins would be able to start up properly.

I don't see any libpcap routine calls in the preprocessors.
Does anyone know which plugins won't start up properly?  If this comment
is in error, then the fix is easy, just place the network initialization
after parsing the config file.  Otherwise, the calls to pcap_comppile and
pcap_setfilter could be pulled out of OpenPcap and placed after the call to



More information about the Snort-users mailing list