Re: BPF Filters

[James Lay <jlay () slave-tothe-box net>]

On 2014-11-14 14:06, Turnbough, Bradley E. wrote:
> Hi All,
>
> I've been running snort for quite a while now with no problems.  I
> would like to set up a BPF filter to ignore ESP encapsulated traffic.
>
> As a test, I created a file called snort-em1.bpf and placed the
> following rule in it:
>
> !(src net 192.168.10.0/24 && dst port 22)
>
>
> Then I attempted to start snort:
>
> /usr/sbin/snort -i em1 -u snort -g snort -c /etc/snort/snort-em1.conf
> -f /etc/snort/bpfs/snort-em1.bpf -l /var/log/snort/em1
>
> However, snort refuses to start:
>
> ERROR: Can't set DAQ BPF filter to '/etc/snort/bpfs/snort-em1.bpf'
> (pcap_daq_set_filter: pcap_compile: syntax error)!
>
>
> Can someone please help me?
>
> Brad

Quote it:

"not (src net 192.168.10.0/24 and dst port 22)"

Safe some hassle and lose as many special characters as you can.  You 
can test with:

/usr/sbin/snort -i em1 -u snort -g snort -c /etc/snort/snort-em1.conf 
/usr/sbin/snort -i em1 -u snort -g snort -c /etc/snort/snort-em1.conf 
"not (src net 192.168.10.0/24 and dst port 22)"

James

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!