Folks,

My test of the problem with "config bpf_file:" in snort-1.9dev was inadequate.
The problem is not fixed yet. The reason why it does not work is that
pcap_compile is called prior to the parsing of the config file.

The workaround is to use the -F flag or or append the filter to the
command line.

The reasoning stated in the source is that:

  interfaces are being initalized before the config file is read, so some
  plugins would be able to start up properly.

I don't see any libpcap routine calls in the preprocessors.
Does anyone know which plugins won't start up properly? If this comment
is in error, then the fix is easy, just place the network initialization
after parsing the config file. Otherwise, the calls to pcap_comppile and
pcap_setfilter could be pulled out of OpenPcap and placed after the call to
ReadConfFile.

Thanks,

Phil

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]