Re: Snort BPF.filter doesn't work

[James Lay <jlay () slave-tothe-box net>]

On 2014-07-10 10:25, Robert Millott wrote:
> I Understand about the business IP, can you clean up a single line 
> and
> modify the addresses? I just want to see if there is something wrong
> with my syntax.  My system is also off the internet, so I understand
> that problem.  My bpf.filter has a single line in it
>
> not host 192.168.1.1
>
> so I just wanted to see if yours had any different syntax I may be
> missing out on.
>
> The way I tested it was I added a snort rule to my misc.rules. The
> rule is
>
> alert tcp any any -> 192.168.1.1 80 (msg:"My Test Rule"; sid: 99999;
> rev: 1)
>
> This alert fires constantly whenever I hit the web page on
> 192.168.1.1.  I then fired up snort, adding a -F
> /etc/snort/bpf.filter to the command line, and looking for alerts.  I
> continue to get alerts on my test rule, which tells me snort isnt
> ignoring all my traffic to that host.
>
> Suggestions?  
>
> Yea, I ve seen the pfring stuff, and debated switcching to it, but it
> looks like allot of effort to set up, and I was originally hoping a
> real simple bpf filter would do what I needed.
>
> Thanx

Please copy and past an actual alert event text.

James


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!