Re: What is the correct syntax for bpf_file?

[rmkml <rmkml () yahoo fr>]

Hi Miguel,
Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'
Regards
Rmkml



On Tue, 29 Jan 2013, Miguel Alvarez wrote:

> I have a list of my nessus scanners in my /etc/snort/bpf_file but they're still triggering alerts.  I've got them 
> listed in the following syntax for example:
> not (src host 10.10.1.1) &&
> not (src host 10.10.1.2) &&
> not (src host 10.10.1.3)
>
> And my snort process is pointing to it:
>
> /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth6 -F /etc/snort/bpf_file
>
> And it shows up in the syslog when snorts starts:
>
> Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file: /etc/snort/bpf_file
> Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host 10.10.1.1) &&
> not (src host 10.10.1.2) &&
> not (src host 10.10.1.3)
>
> But the alerts keep streaming in (not just this alert):
>
> 01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information 
> Leak] [Priority: 2] {TCP} 10.10.1.1:49870 -> 10.10.1.43:22
>
> This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?
>
> Thank you!
>
> MA
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!