Snort mailing list archives

Re: Network Variables

From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 2 May 2013 08:15:56 -0400

On Thu, May 2, 2013 at 7:50 AM, Seth Dunn <seth () d2ms com> wrote:

What is DAQ?  I have seen that, but have no idea what that is.


The DAQ is Snort's generalized interface for reading packets.  I missed
your Windows mention at the outset; you are using the pcap DAQ.

****

As far as my bpf file goes, if it is like this::****

** **

#not net 10.10.0.0/24 and not net 10.30.0.0/24****

not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net
10.30.0.0/24 and dst host 10.75.45.1 && dst port 80****


It will fail with:: ****

Reading filter from bpf file: D:\Snort\etc\ignore2.bpf****

ERROR: short read D:\Snort\etc\ignore2.bpf (169 != 170)****

Fatal Error, Quitting..


This error text makes the issue clear.  There is a bug in the code which
requires that the whole file be read in one go.  If you always get the same
error (169 read out of 170) you can try deleting a character from the
comment line.  Otherwise, adding more comments at the end might work.  But
your best bet for now would be to put the comments directly in Snort's conf
and keep only the active BPF in your .bpf.  I'll file a bug to get the read
fixed.

Thanks
Russ

****

** **

If I remove the commented line, then snort starts fine.
If I try to have multiple lines in the file, (all being rules, no
comments) the it will fail with a similar error as above.
I have never seen a DAQ error.****

** **

*From:* Russ Combs [mailto:rcombs () sourcefire com]
*Sent:* Thursday, May 02, 2013 12:08 AM
*To:* waldo kitty
*Cc:* snort-users () lists sourceforge net

*Subject:* Re: [Snort-users] Network Variables****

** **

Snort does allow comments in the BPF file, starting with # to end of line.
 If there is a syntax error, you should see something like:****

** **

ERROR: Can't set DAQ BPF filter to '****

...      ****

' (pcap_daq_set_filter: pcap_compile: syntax error)!****

Fatal Error, Quitting..****

** **

What DAQ are you using?  Please send the BPF file that fails and the error
that you get.****

** **

On Wed, May 1, 2013 at 10:07 PM, waldo kitty <wkitty42 () windstream net>
wrote:****

On 5/1/2013 13:09, Seth Dunn wrote:

But any ideas why snort fails to start if I add in a '#' to comment a
line??****


i have no clue but it sounds like a coding error not allowing comment
lines i
the BPF file... only joel or one of the snort dev guys can tell us that...
or
possibly a code diver who can root around in the snort code ;)****


--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.****


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!****

** **

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Network Variables, (continued)
- - - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables waldo kitty (May 02)
    - Re: Network Variables James Lay (May 02)
    - Re: Network Variables waldo kitty (May 02)
    - Message not available
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables waldo kitty (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables James Lay (May 02)
    - Re: Network Variables Russ Combs (May 02)
    - Re: Network Variables waldo kitty (May 02)
    - Re: Network Variables seth (May 02)