On 2007/01/09 23:03, Can Erkin Acar wrote:
> Dan Farrell wrote:
> > I'm running Snort 2.4.5 (the pkg) on OpenBSD 4.0 and I use a bpf filter
> > file to have Snort ignore certain hosts altogether.
> >
> > The command I'm using is 'snort -D -i dc1 -F bpfile'
>
> The kernel has a limit for the maximum number of filter
> instructions. Currently it is set to 512. This is the
> limit you are hitting with your filter definition.
>
> Since the buffers are not allocated until you set a
> filter, it seems safe to increase the limit
> it is defined in src/sys/net/bpf.h
> #define BPF_MAXINSNS 512
> you will have to compile a new kernel
Alexander Zatserkovniy sent me these patches to fix the support that
was already in snort to handle packets with pflog headers (snort didn't
update it after the header format last changed); this allows selection
via PF rules rather than BPF (and with the new clonable pflogNN you
can have a bunch of different options ready and choose from them).
As well as using them on the pflog interfaces directly you should
also be able to use them on files produced by pflogd.
I haven't tested myself but it may be useful...
diff -Naur snort-2.4.5/src/decode.c snort-2.4.5-patched/src/decode.c
--- src-orig/decode.c Sat Sep 17 08:06:35 2005
+++ src/decode.c Thu Dec 14 15:39:51 2006
@@ -1204,7 +1204,7 @@
p->pfh = (PflogHdr *) pkt;
/* get the network type - should only be AF_INET or AF_INET6 */
- switch(ntohs(p->pfh->af))
+ switch((unsigned short)p->pfh->af)
{
case AF_INET: /* IPv4 */
DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated
to be %lu "
diff -Naur snort-2.4.5/src/decode.h snort-2.4.5-patched/src/decode.h
--- src-orig/decode.h Fri Sep 2 08:09:20 2005
+++ src/decode.h Thu Dec 14 15:37:29 2006
@@ -724,7 +724,7 @@
typedef struct _Pflog_hdr
{
- int8_t length;
+ u_int8_t length;
sa_family_t af;
u_int8_t action;
u_int8_t reason;
@@ -732,6 +732,10 @@
char ruleset[16];
u_int32_t rulenr;
u_int32_t subrulenr;
+ uid_t uid;
+ pid_t pid;
+ uid_t rule_uid;
+ pid_t rule_pid;
u_int8_t dir;
u_int8_t pad[3];
} PflogHdr;
