[Snort-users] Daemonlogger and BPF

Randal T. RIoux randy at ...13561...
Mon Jun 7 01:23:34 EDT 2010


Aye! That makes sense. I shouldn't do these things when I'm overtired :-)

Thanks to you and Jason... I got it now.

Enjoy your evening!

Randy


On 06/07/2010 01:10 AM, Martin Roesch wrote:
> Hi Randy,
>
> Your expression rejects all packets, as Jason said.  I think you want
> to use "or" instead of "and" there.
>
> Daemonlogger uses the same BPF file format as all libpcap-derived
> programs (tcpdump, snort, etc).  I guess I should mention that in the
> docs. :)  If you want to read up on it before I get an update out the
> door just 'man tcpdump' and it should all be in there.
>
>
> Marty
>
>
> On Mon, Jun 7, 2010 at 12:15 AM, Randal T. RIoux<randy at ...13561...>  wrote:
>> I have a question about the file format for bpf filtering with Daemonlogger.
>>
>> The syntax isn't described anywhere. However, this is what I know.
>>
>> "port 80 and port 8080" works fine for the -f command line inclusion.
>>
>> "port 80 and port 8080 and port 8181" throws this error:
>>
>>     expression rejects all packets
>>
>> So, I guess my question really is: what is the proper formatting/syntax
>> for BPF usage in Daemonlogger?
>>
>> Thanks!
>> Randy
>>





More information about the Snort-users mailing list