[Snort-users] Snort 1.8.7b6 not listen to BPF filters

Andreas Östling andreaso at ...236...
Fri Jul 19 13:29:05 EDT 2002


On Fri, 19 Jul 2002, Michael Scheidell wrote:

> > > /usr/local/bin/snort -doDI -m 022 -z \
> > > -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
> > > not src host 10.1.1.10

> source of attack was 216.241.67.74.  Destination was 10.1.1.10

Here is a theory.
The filter "not src host 10.1.1.10" makes Snort see only packets in one
direction when attacking from 216.241.67.74 -> 10.1.1.10, so Snort never
gets that this is actually an established session. Since -z i specified,
no alert is generated (which should probably be regarded as correct).

What do you think?
What happens if you run without -z?

/Andreas





More information about the Snort-users mailing list