[Snort-users] Snort 1.8.7b6 not listen to BPF filters

Michael Boman michael.boman at ...4162...
Fri Jul 19 11:51:04 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have managed to isolate the issue to pre-processors, after I have applied 
both BPF filters (on command line and using the -F switch) as well as created 
a pass rule to pass all the traffic from the vuln-scan server (and still 
starting snort with the -o switch). I am still getting alerts thought, but 
they are from spp_stream4 and other spp_* processors now.

My guess is that some parts, or the whole, of snort is ignoring the ignore 
requests. Atleast with the 'pass' rule I managed to keep the number of alerts 
down somewhat, but still doesn't work as expected.

Best regards
 Michael Boman


On Saturday 20 July 2002 02:24, Michael Scheidell wrote:
> ----- Original Message -----
> From: "Michael Boman" <michael.boman at ...4162...>
> Newsgroups: local.snort.users
> Sent: Thursday, July 18, 2002 9:50 AM
> Subject: [Snort-users] Snort 1.8.7b6 not listen to BPF filters
>
> > and
> >
> > usr/bin/snort -D -U -o -i eth1 -c /etc/snort_eth1/snort.conf -F
> > /etc/snort_eth1/ignore.bpf -z
> >
> > where content of 'ignore.bpf' is:
> > not host x.x.x.x
>
> I have had the same problem since 1.8.6.x
> Sent in several requests for guidance, none of them have been very helpful
> so far.

- -- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9OF99ds5fQJiraJwRAvUkAKDRvKeEC93Qsqhpg+7xT9e8oWIqhQCggIOY
ClgkbfCeFBe268U6DEEvKcQ=
=0Yd/
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list