Snort mailing list archives
I must be think why can't I use bpf filters?
From: "Michael Scheidell" <scheidell () secnap net>
Date: Wed, 10 Jul 2002 14:35:39 -0400
I guess something is wrong with me and the way I thought I should use bpf ifliters (snort 1.86, 1.87beta and 1.87 release) If I use a bpf filter I don't get ANY alerts. Starting snort like this: /usr/local/bin/snort -doDI -m 022 -z \ -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \ -F /usr/local/share/snort/snort.bpf cat /usr/local/share/snort/snort.bpf: not src host 10.1.1.10 someone answered, and I guess it wasn't clear, I thought they said that it was a bug and was being addressed. What I want is to filter out all events, alerts (at the bpf level) emenating from host 10.1.1.10. (no, pass ip 10.1.1.10 any -> any any is not what I want... Im looking to eliminate stream, fran ang syn alerts as well). -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I must be think why can't I use bpf filters? Michael Scheidell (Jul 10)
- Re: I must be think why can't I use bpf filters? Erek Adams (Jul 10)
- <Possible follow-ups>
- RE: I must be think why can't I use bpf filters? Tom Sevy (Jul 10)