Snort mailing list archives
RE: I must be think why can't I use bpf filters?
From: Tom Sevy <tsevy () epx com>
Date: Wed, 10 Jul 2002 14:58:58 -0400
Does the BPF interpretation get handled in snort code or passed along to libpcap? When I built a bpf filter, I had to add escape chars in front of the parens: .... not \(src net 1.2.3 and dst net 1.2.3\) In this case to ignore inside-to-inside traffic..... -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Wednesday, July 10, 2002 2:45 PM To: Michael Scheidell Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] I must be think why can't I use bpf filters? On Wed, 10 Jul 2002, Michael Scheidell wrote:
I guess something is wrong with me and the way I thought I should use bpf ifliters (snort 1.86, 1.87beta and 1.87 release) If I use a bpf filter I don't get ANY alerts. Starting snort like this: /usr/local/bin/snort -doDI -m 022 -z \ -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \ -F /usr/local/share/snort/snort.bpf cat /usr/local/share/snort/snort.bpf: not src host 10.1.1.10 someone answered, and I guess it wasn't clear, I thought they said that it was a bug and was being addressed. What I want is to filter out all events, alerts (at the bpf level)
emenating
from host 10.1.1.10. (no, pass ip 10.1.1.10 any -> any any is not what I want... Im looking to eliminate stream, fran ang syn alerts as well).
Have you tried not using a 'bpf file'? Just with snort <options> 'not src host 10.1.1.10' and snort <options> 'not (src host 10.1.1.10)' Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I must be think why can't I use bpf filters? Michael Scheidell (Jul 10)
- Re: I must be think why can't I use bpf filters? Erek Adams (Jul 10)
- <Possible follow-ups>
- RE: I must be think why can't I use bpf filters? Tom Sevy (Jul 10)