Re: Snort BPF.filter doesn't work

[waldo kitty <wkitty42 () windstream net>]

On 7/11/2014 8:01 AM, Robert Millott wrote:
> The problem I had was that I was trying to filter on the address 192.168.1.1.
>   src and dst addresses were the addresses of the GRE tunnel, so they did not
> match the src and dst address filters I had in place.  Within the gre
> encapsulated packet was the address 192.168.1.1 and that is what set the snort
> alert off, but since it wasn''t the packets src or dst address, the bpf filter
> didn't catch it.  To fix it, I added gre to the bpf filter, ie
>
> not (proto gre or host address 192.168.1.1)
>
> I chose to drop all GRE packets, figuring I would catch the traffic im looking
> for when it isn't encapsulated. Then I could filter the 192.168.1.1 traffic.
>
> Hope that helps someone else

nice! thank you, sir :)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!