Snort mailing list archives

Query on Snort BPF

From: setests setests <setests () gmail com>
Date: Sun, 5 Feb 2017 12:28:05 +0530

Hi

If I have a filter like this for snort, which gets loaded with the -F
switch.  Why would snort alert for the IP 172.16.10.37 ?  The snort version
I am currently running is 2.9.9.0.

Is my BPF flawed somehow.

not ((udp and port 6000) or (udp and port 7000) or (tcp and port 3389) or
host 172.16.10.37 or host 172.17.38.5 or host 172.18.10.62 or host
172.18.38.24 or net 50.76.0.0/14 or net 60.112.0.0/13 or net 70.120.0.0/14
or net 80.74.0.0/15 or net 90.124.0.0/16 or net 50.125.0.0/17 or net
50.96.0.0/12 or net 50.80.0.0/12 or net 122.245.0.0/16 or net 127.116.0.0/16
or net 127.54.0.0/15 or net 127.60.0.0/16 or net 127.56.0.0/14 or net
84.112.184.0/22)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Query on Snort BPF setests setests (Feb 04)