[Snort-users] Snort 1.8.7b6 not listen to BPF filters
michael.boman at ...4162...
Fri Jul 19 11:51:04 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
I have managed to isolate the issue to pre-processors, after I have applied
both BPF filters (on command line and using the -F switch) as well as created
a pass rule to pass all the traffic from the vuln-scan server (and still
starting snort with the -o switch). I am still getting alerts thought, but
they are from spp_stream4 and other spp_* processors now.
My guess is that some parts, or the whole, of snort is ignoring the ignore
requests. Atleast with the 'pass' rule I managed to keep the number of alerts
down somewhat, but still doesn't work as expected.
On Saturday 20 July 2002 02:24, Michael Scheidell wrote:
> ----- Original Message -----
> From: "Michael Boman" <michael.boman at ...4162...>
> Newsgroups: local.snort.users
> Sent: Thursday, July 18, 2002 9:50 AM
> Subject: [Snort-users] Snort 1.8.7b6 not listen to BPF filters
> > and
> > usr/bin/snort -D -U -o -i eth1 -c /etc/snort_eth1/snort.conf -F
> > /etc/snort_eth1/ignore.bpf -z
> > where content of 'ignore.bpf' is:
> > not host x.x.x.x
> I have had the same problem since 1.8.6.x
> Sent in several requests for guidance, none of them have been very helpful
> so far.
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users