What is the correct syntax for bpf_file?

[Miguel Alvarez <miguellvrz9 () gmail com>]

I have a list of my nessus scanners in my /etc/snort/bpf_file but they're
still triggering alerts.  I've got them listed in the following syntax for
example:

not (src host 10.10.1.1) &&
not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

And my snort process is pointing to it:

/usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort/eth6 -F /etc/snort/bpf_file

And it shows up in the syslog when snorts starts:

Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:
/etc/snort/bpf_file
Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host
10.10.1.1) &&
not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

But the alerts keep streaming in (not just this alert):

01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan
OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
{TCP} 10.10.1.1:49870 -> 10.10.1.43:22

This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?

Thank you!

MA

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!