Snort mailing list archives

Previous By Date Next
Previous By Thread Next

win2000 pro, problem with bpf using a file

From: "Turnquist,Wayne" <WayneTurnquist () catholichealth net>
Date: Mon, 15 Nov 2004 08:53:34 -0600
I tried searching google for some examples of usinga bpf file with multiple entries to show me the correct format


i have snort 2.2.0, mysql and acid up and running fine. i also am using the pass filters to weed out my false 
positives. but now i have a few http_inspect alerts i need to filter out which i was going to use the bpf file. the 
following is a example im using



not (src host x.x.x.x and dest net y.y.y.0 and dest port z.z.z.z) and not (src host x.x.x.x and dest net p.p.p.0 and 
dest port z.z.z.z)

my reading of the rule is i want to capture all traffic except if a packets matches any of the rules. is this rule 
written correclty?


my first attempt at this is that i added about 10 rules to this file and was getting syntax errors. the only way i 
could get the file read in, was to add everything to one line.

?1) is there a format where i could added rules one line at a time instead of one line
not (src host x.x.x.x and dest net y.y.y.0 and dest port z.z.z.z) and
not (src host x.x.x.x and dest net p.p.p.0 and dest port z.z.z.z) and
as many other rules needed


?2) if my rule is written write, im still getting alerts showing up that should be dropped at the bpf filter file that 
was read into snort. how can i do test to see if what was written is at least loaded and interpted correclty by snort. 
or is this a known issue with the windows version of snort

i hope i explained my problem well enought to me understood

thanks
wt


-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: