[Snort-users] Snort 1.8.7b6 not listen to BPF filters
andreaso at ...236...
Fri Jul 19 13:29:05 EDT 2002
On Fri, 19 Jul 2002, Michael Scheidell wrote:
> > > /usr/local/bin/snort -doDI -m 022 -z \
> > > -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
> > > not src host 10.1.1.10
> source of attack was 22.214.171.124. Destination was 10.1.1.10
Here is a theory.
The filter "not src host 10.1.1.10" makes Snort see only packets in one
direction when attacking from 126.96.36.199 -> 10.1.1.10, so Snort never
gets that this is actually an established session. Since -z i specified,
no alert is generated (which should probably be regarded as correct).
What do you think?
What happens if you run without -z?
More information about the Snort-users