[Snort-users] BPF filters and Demarc

Gary Danko GDanko at ...9744...
Mon Jul 28 16:10:16 EDT 2003

Okay I did some reading on the net and found a way to create the stuff to
put in the filter file and now my filter file looks like this:

[root at ...9745... conf]$ more bpf-filters.conf
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 6
(002) ld       [26]
(003) jeq      #0x409cc50c      jt 12   jf 4
(004) ld       [30]
(005) jeq      #0x409cc50c      jt 12   jf 13
(006) jeq      #0x806           jt 8    jf 7
(007) jeq      #0x8035          jt 8    jf 13
(008) ld       [28]
(009) jeq      #0x409cc50c      jt 12   jf 10
(010) ld       [38]
(011) jeq      #0x409cc50c      jt 12   jf 13
(012) ret      #0
(013) ret      #96

I am still receiving the same results when I try to start snort with the -F

-----Original Message-----
From: Gary Danko 
Sent: Monday, July 28, 2003 3:47 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] BPF filters and Demarc

Hi all. I want to start Snort with the -F switch when I use Demarc. In
Demarc's configuration file I have this entry for Snort options:

# Additional  Snort command-line options (default: "-o -q")
snort_options = "-o -de"

I changed it to something like this to try and load my bpf filter file:

# Additional  Snort command-line options (default: "-o -q")
snort_options = "-F /usr/local/demarc/conf/bpf-filters.conf -o -de"

Demarc is unable to start Snort when I include this file. Has anyone used
Demarc/Snort with a bpf filters file?

This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list