[Snort-users] snort expression (ip broadcast)

Papa Mike online_puppy at ...4554...
Fri Jan 3 13:27:07 EST 2003


I have captured a packet with the following bit of
info:

12/30-22:59:59.368544 192.168.1.92:138 ->
192.168.1.255:138

This is from a Samba server (a SMB broadcast).  It was
captured with:

# snort -dvCq src host 192.168.1.92 and dst port 138
and dst net 192.168.1.0 mask 255.255.255.0

Now I wanted to use snort's 'ip broadcast' option but
it fails to capture the packet:

# snort -dvCq src host 192.168.1.92 and dst port 138
and ip broadcast 

Why doesn't this work?



______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca




More information about the Snort-users mailing list