[Oisf-users] Large BPF causes suricata to crash
Cooper F. Nelson
cnelson at ucsd.edu
Mon Jun 20 19:41:32 UTC 2016
This isn't a suricata issue. The BPF expression is compiled and then
attached to the packet socket in kernel space.
There is a hard limit on the size of this expression, which I believe is
set in /proc/sys/net/core/optmem_max. So you can increase it if you
really need to.
As you mention, best practice would be pre-process this list and
collapse the IPs into CIDR blocks wherever possible; perl can do this:
> http://www.perlmonks.org/?node_id=650369
-Coop
On 6/20/2016 12:06 PM, Shane Boissevain wrote:
> From what I can tell, it doesn't matter if it's passed via command line,
> file, or bpf-filter. Is this a suricata-bug? A limitation of BPF?
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160620/b0051afc/attachment-0002.sig>
More information about the Oisf-users
mailing list