[Snort-users] win2000 pro, problem with bpf using a file

Turnquist,Wayne WayneTurnquist at ...12076...
Mon Nov 15 06:54:15 EST 2004


I tried searching google for some examples of usinga bpf file with multiple entries to show me the correct format


i have snort 2.2.0, mysql and acid up and running fine. i also am using the pass filters to weed out my false positives. but now i have a few http_inspect alerts i need to filter out which i was going to use the bpf file. the following is a example im using



not (src host x.x.x.x and dest net y.y.y.0 and dest port z.z.z.z) and not (src host x.x.x.x and dest net p.p.p.0 and dest port z.z.z.z)

my reading of the rule is i want to capture all traffic except if a packets matches any of the rules. is this rule written correclty?


my first attempt at this is that i added about 10 rules to this file and was getting syntax errors. the only way i could get the file read in, was to add everything to one line.

?1) is there a format where i could added rules one line at a time instead of one line
not (src host x.x.x.x and dest net y.y.y.0 and dest port z.z.z.z) and
not (src host x.x.x.x and dest net p.p.p.0 and dest port z.z.z.z) and
as many other rules needed


?2) if my rule is written write, im still getting alerts showing up that should be dropped at the bpf filter file that was read into snort. how can i do test to see if what was written is at least loaded and interpted correclty by snort. or is this a known issue with the windows version of snort

i hope i explained my problem well enought to me understood

thanks
wt




More information about the Snort-users mailing list