Snort mailing list archives
Re: I must be think why can't I use bpf filters?
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 10 Jul 2002 11:45:04 -0700 (PDT)
On Wed, 10 Jul 2002, Michael Scheidell wrote:
I guess something is wrong with me and the way I thought I should use bpf ifliters (snort 1.86, 1.87beta and 1.87 release) If I use a bpf filter I don't get ANY alerts. Starting snort like this: /usr/local/bin/snort -doDI -m 022 -z \ -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \ -F /usr/local/share/snort/snort.bpf cat /usr/local/share/snort/snort.bpf: not src host 10.1.1.10 someone answered, and I guess it wasn't clear, I thought they said that it was a bug and was being addressed. What I want is to filter out all events, alerts (at the bpf level) emenating from host 10.1.1.10. (no, pass ip 10.1.1.10 any -> any any is not what I want... Im looking to eliminate stream, fran ang syn alerts as well).
Have you tried not using a 'bpf file'? Just with snort <options> 'not src host 10.1.1.10' and snort <options> 'not (src host 10.1.1.10)' Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I must be think why can't I use bpf filters? Michael Scheidell (Jul 10)
- Re: I must be think why can't I use bpf filters? Erek Adams (Jul 10)
- <Possible follow-ups>
- RE: I must be think why can't I use bpf filters? Tom Sevy (Jul 10)