[Snort-users] Daemonlogger and BPF
Randal T. RIoux
randy at ...13561...
Mon Jun 7 01:23:34 EDT 2010
Aye! That makes sense. I shouldn't do these things when I'm overtired :-)
Thanks to you and Jason... I got it now.
Enjoy your evening!
On 06/07/2010 01:10 AM, Martin Roesch wrote:
> Hi Randy,
> Your expression rejects all packets, as Jason said. I think you want
> to use "or" instead of "and" there.
> Daemonlogger uses the same BPF file format as all libpcap-derived
> programs (tcpdump, snort, etc). I guess I should mention that in the
> docs. :) If you want to read up on it before I get an update out the
> door just 'man tcpdump' and it should all be in there.
> On Mon, Jun 7, 2010 at 12:15 AM, Randal T. RIoux<randy at ...13561...> wrote:
>> I have a question about the file format for bpf filtering with Daemonlogger.
>> The syntax isn't described anywhere. However, this is what I know.
>> "port 80 and port 8080" works fine for the -f command line inclusion.
>> "port 80 and port 8080 and port 8181" throws this error:
>> expression rejects all packets
>> So, I guess my question really is: what is the proper formatting/syntax
>> for BPF usage in Daemonlogger?
More information about the Snort-users