[Snort-users] Snort 1.8.7b6 not listen to BPF filters

Erek Adams erek at ...577...
Fri Jul 19 12:06:37 EDT 2002

On Fri, 19 Jul 2002, Michael Scheidell wrote:

> 1.8.7 does same thing.

Ok, had to try.  :)

> /usr/local/bin/snort -doDI -m 022 -z \
> -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
> not src host
> does not record tcp attacks.

Ok, correct me if I'm wrong:  But that's what you want, right?
If that's the case then it the failure must be in the -F option.

> > Cause the wierd part is I don't have a problem with BPF's working.  Could it
> > be your pcap?  I'm using the 0.7.1.tar.gz from tcpdump.org.
> Im using whatever library it finds on FBSD 4.5.

Might want to check and see which libpcap it's linking to with ldd...

Ping thought, but does TCPdump show the same behavior when passing it a 'file'
of filters?

Erek Adams

More information about the Snort-users mailing list