Dan Farrell wrote: > I'm running Snort 2.4.5 (the pkg) on OpenBSD 4.0 and I use a bpf filter > file to have Snort ignore certain hosts altogether. > > The command I'm using is 'snort -D -i dc1 -F bpfile'
The kernel has a limit for the maximum number of filter instructions. Currently it is set to 512. This is the limit you are hitting with your filter definition. Since the buffers are not allocated until you set a filter, it seems safe to increase the limit it is defined in src/sys/net/bpf.h #define BPF_MAXINSNS 512 you will have to compile a new kernel > When I have the single line of- > > not host 192.168.1.69 > > Snort runs fine. But when I lengthen the bpf filter file to- > > not host 192.168.1.69 > and not host 10.1.1.1 > and not host 4.2.2.2 > ... 60 more addresses ... > and not host 6.6.6.6 > > Snort chokes with the following error- > > snort: FATAL ERROR: OpenPcap() setfilter: BIOCSETF: Invalid > argument > > The BPF file I'm using is one I pulled from another snort installation I > have running on -gasp- Fedora (I mention this because it has no problems > parsing the same file.) Is there a way to have multiple entries in the > BPF file that I'm missing... am I using the wrong syntax (is there an > alternative to 'and not host' that I need to use)? > > > Dan Farrell > Applied Innovations > [EMAIL PROTECTED]
