long jumps not supported

[Peter Van Epp]

	A useful regression test of the patch would be to use multiple ra
invocations to process a data file (saving the output to a file) then 
feed the same expression in to ra as a single filter and save that output
to a file and compare the two output files.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> Chas and Carter,
> 
> Thank you for your replies -- they were very helpful.
> 
> Carter's new versions of gencode.h and argus_util.c seem to take care of 
> the problem. I cannot determine if the patch breaks anything under the 
> surface because I have not been running Argus for long enough to notice the 
> difference in behavior. I've been using the new code today without any 
> problems.
> 
> Chas' workaround of using multiple "ra" evocations with split-up versions 
> of the original filter file works well too, especially for those who do not 
> wish to incorporate the patch into their Argus distributions.
> 
> -- Lenny
> 
>  > -----Original Message-----
>  > From: owner-argus at lists.andrew.cmu.edu
>  > [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Lenny Zeltser
>  > Sent: Thursday, June 01, 2000 6:49 PM
>  > To: argus at lists.andrew.cmu.edu
>  > Subject: long jumps not supported
>  >
>  >
>  > Dear folks,
>  >
>  > I am in the process of setting up my tcpdump-based filter to
>  > perform basic
>  > intrusion detection functions via "ra". The filter file documents all
>  > traffic that is allowed, prefixed by a "not" as the outer-most
>  > expression,
>  > so that "ra" reports all traffic that should not be present.
>  >
>  > The filter file is approximately 700 characters long. I have reached a
>  > point, however, where as soon as I add a new clause to the filter, "ra"
>  > responds with the following error:
>  >
>  >    ra: expression: long jumps not supported
>  >
>  > Is my filter file too long for the program to handle? If so, how
>  > do people specify complex rules to the program?
> 
>