[Snort-users] Perfmonitor / BPF Question

Martin Roesch roesch at ...1935...
Wed Jan 16 10:53:02 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rob,

BPF is a prefilter for Snort, packets that get filtered by BPF aren't  
seen by the Snort engine at all.

	-Marty

On Jan 16, 2008, at 10:03 AM, Rob Sharp wrote:

> I have a sensor deployed with a BPF file to filter out our network  
> vulnerability scanners to keep the noise down.  I notice when the  
> scanner makes  a sweep that the dropped packets increase quite a bit.
>
> My question is does the perfmonitor count packets dropped by the BPF  
> in the stats it tracks?  That would explain the jumps in packet loss.
>
> -- 
> Robert Sharp
> robertsharp at ...11827...  
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- - - --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org


- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHjihIqj0FAQQ3KOARApaKAJ9r6LaUP5YkPDJ18w5n1PZSe8hx0gCdFqeA
LZveNk0RqrwPKHXVah+JC5U=
=fjl+
- - -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHjihUqj0FAQQ3KOARAnhVAJ95j07gEU62wXeXfBu9nBExd2GZmACdHVlz
4GTjS+T7kl9GEYm64WDPH9M=
=WgWN
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHjiheqj0FAQQ3KOARAlORAJ97mmFBFRD79I9TQ9hQHdAk8zPlfwCdEuuz
O4PruH2sYPlmLjPZh1GtEis=
=n+8W
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list