Re: Network Variables

["Seth Dunn" <seth () d2ms com>]

Ok, that is what I was thinking.
Now my bpf file, I initially did this:
not net 10.10.0.0/24 and not net 10.30.0.0/24
And that appears to work....snort started, and I didn't get
alerts...maybe the users didn't do anything to trigger the alerts, who
knows.
So I wanted to tighten it up to make it a bit more specific.
So I wanted to comment the line: # not net 10.10.0.0/24 and not net
10.30.0.0/24
and add in this one: not net 10.10.0.0/24 and dst host 10.75.45.1 && dst
port 80 or not net 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80

So if I do that, then snort fails to start, it has problems with the bpf
file....it will not let me comment lines, so I can't add descriptions.
So I deleted the first line and left in:
not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net
10.30.0.0/24 and dst host 10.75.45.1 && dst port 80

Snort again starts and runs, and so far has not generated alerts...but
again, the users may have just not done anything to generate the alerts.
So I will watch it for the next day and see what happens.

But any ideas why snort fails to start if I add in a '#' to comment a
line??


-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net] 
Sent: Wednesday, May 01, 2013 11:49 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Network Variables

On 5/1/2013 11:11, Seth Dunn wrote:
> Do you have to use the -F switch to call the bpf file, or can you just

> configure in the snort.conf file to use it and the bpf file is 
> processed?

it should work the same either way... if it does not, it may be a bug...
joel or someone on the dev team may be able to answer that question...

FWIW: my understanding is that command line switches override conf file
entries...

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------
------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!