[Snort-users] BPF Question

eltra1n larry.wichman at ...11827...
Wed Mar 7 18:45:19 EST 2012

Hello -

I am loading the following BPF file in Snort.conf

((src || dst host ! ( and and
and not && src || dst net ! ( and and and and
and && tcp[2:2] > 1024 || tcp[1:1] > 1024))

I just want to look at TCP highports and ignore some networks and hosts

I am also loading perfmon:

preprocessor perfmonitor: \
#preprocessor perfmonitor: time 30 flow-ip flow-ip-file
flow-ip-stats.csv pktcnt 1000

In the flow-ip-stats.csv I see traffic to and from  (in
my BPF file).

I thought this would have been filtered. Is my BPF syntax wrong?


More information about the Snort-users mailing list