[Snort-users] Snort 1.8.7b6 not listen to BPF filters

Michael Scheidell scheidell at ...5171...
Fri Jul 19 11:58:06 EDT 2002


> A couple of things here:
> 
> 	1)  Update to 1.8.7 since it's been released and has many bugfixes
> backported from 1.9 into it.
1.8.7 does same thing.


> 	2)  try it without using a "file".
> 
> 		snort <options> 'not host foo'

/usr/local/bin/snort -doDI -m 022 -z \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
not src host 10.1.1.10


does not record tcp attacks.

> 	3)  compile with debug and set DEBUG_INIT and DEBUG_CONFIGURES, then
> fire off with and without using the -F option.  See if there's anything odd
> going on.

guess thats next.

> 
> Cause the wierd part is I don't have a problem with BPF's working.  Could it
> be your pcap?  I'm using the 0.7.1.tar.gz from tcpdump.org.

Im using whatever library it finds on FBSD 4.5.
-- 
Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Positions available see http://www.secnap.net/employment/




More information about the Snort-users mailing list