long jumps not supported
Chas DiFatta
chas at freeworks.com
Thu Jun 1 23:24:54 EDT 2000
Lenny,
I've been running into this for some time. I really haven't
looked into the code to see where the limitation is and it's been
on the to-do list. My workaround is to run a separate
ra for each filter stream in parallel, or if the filter is so
complex that I need to serialize it as you seem to do, I just
do a ,
ra -nr argus.file -w - (big ass filter) | ra -n (yet another filter)
It's a hack but it works.
...Chas
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Lenny Zeltser
> Sent: Thursday, June 01, 2000 6:49 PM
> To: argus at lists.andrew.cmu.edu
> Subject: long jumps not supported
>
>
> Dear folks,
>
> I am in the process of setting up my tcpdump-based filter to
> perform basic
> intrusion detection functions via "ra". The filter file documents all
> traffic that is allowed, prefixed by a "not" as the outer-most
> expression,
> so that "ra" reports all traffic that should not be present.
>
> The filter file is approximately 700 characters long. I have reached a
> point, however, where as soon as I add a new clause to the filter, "ra"
> responds with the following error:
>
> ra: expression: long jumps not supported
>
> Is my filter file too long for the program to handle? If so, how
> do people
> specify complex rules to the program?
More information about the argus
mailing list