BPF Question

[eltra1n <larry.wichman () gmail com>]

Hello -

I am loading the following BPF file in Snort.conf

((src || dst host ! (10.200.129.220 and 10.200.48.26 and 10.200.128.60
and not 10.200.22.12) && src || dst net ! (10.252.0.0/16 and
10.199.0.0/16 and 10.176.0.0/24 and 10.176.1.0/24 and 10.176.2.0/24
and 10.175.0.0/24) && tcp[2:2] > 1024 || tcp[1:1] > 1024))

I just want to look at TCP highports and ignore some networks and hosts

I am also loading perfmon:

preprocessor perfmonitor: \
#preprocessor perfmonitor: time 30 flow-ip flow-ip-file
flow-ip-stats.csv pktcnt 1000

In the flow-ip-stats.csv I see traffic to and from 10.252.0.0/16  (in
my BPF file).

I thought this would have been filtered. Is my BPF syntax wrong?

Thanks,
Larry

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!