[Snort-users] Snort 1.7 and Berkeley Packet Filters

Phil Wood cpw at ...440...
Wed Jan 24 14:33:44 EST 2001


On Wed, Jan 24, 2001 at 10:16:21AM -0800, Brent Erickson wrote:
> Hello all,
> 
> I have been doing alot of searching for information on the correct Berkley Packet Filtering syntax that Snort can use. I'm not having much luck. I know how to call certain simple BPF operations, but not exactly what I'm trying to accomplish.
> 
> I run Snort 1.7 in the mode:
> 
> snort -o -A fast -N -s -c snort.conf
> 
> and I would like to know what the correct BPF syntax would be to ignore my home network x.x.0.0/16 going out with a destination of port 80.

ip and not '(dst net 128.165.0.0/16 and dst port 80)'

> 
> I do not want to disable the new unicode and cgi decoding capabilities but I get too many messages with my network, such as cache engines as the source address.
> 
> Thanks for your help.
> 
> Brent Erickson
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list