[Oisf-users] Large BPF causes suricata to crash

Cooper F. Nelson cnelson at ucsd.edu
Mon Jun 20 19:41:32 UTC 2016

This isn't a suricata issue.  The BPF expression is compiled and then
attached to the packet socket in kernel space.

There is a hard limit on the size of this expression, which I believe is
set in /proc/sys/net/core/optmem_max.  So you can increase it if you
really need to.

As you mention, best practice would be pre-process this list and
collapse the IPs into CIDR blocks wherever possible; perl can do this:

> http://www.perlmonks.org/?node_id=650369


On 6/20/2016 12:06 PM, Shane Boissevain wrote:
> From what I can tell, it doesn't matter if it's passed via command line,
> file, or bpf-filter. Is this a suricata-bug? A limitation of BPF?

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160620/b0051afc/attachment-0002.sig>

More information about the Oisf-users mailing list