[Snort-users] Snort 1.8.7b6 not listen to BPF filters

Andreas Östling andreaso at ...236...
Fri Jul 19 13:29:05 EDT 2002

On Fri, 19 Jul 2002, Michael Scheidell wrote:

> > > /usr/local/bin/snort -doDI -m 022 -z \
> > > -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
> > > not src host

> source of attack was  Destination was

Here is a theory.
The filter "not src host" makes Snort see only packets in one
direction when attacking from ->, so Snort never
gets that this is actually an established session. Since -z i specified,
no alert is generated (which should probably be regarded as correct).

What do you think?
What happens if you run without -z?


More information about the Snort-users mailing list