Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 1.8.7b6 not listen to BPF filters

From: Andreas Östling <andreaso () it su se>
Date: Fri, 19 Jul 2002 22:28:30 +0200 (CEST)

On Fri, 19 Jul 2002, Michael Scheidell wrote:


/usr/local/bin/snort -doDI -m 022 -z \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
not src host 10.1.1.10



source of attack was 216.241.67.74.  Destination was 10.1.1.10


Here is a theory.
The filter "not src host 10.1.1.10" makes Snort see only packets in one
direction when attacking from 216.241.67.74 -> 10.1.1.10, so Snort never
gets that this is actually an established session. Since -z i specified,
no alert is generated (which should probably be regarded as correct).

What do you think?
What happens if you run without -z?

/Andreas



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: