[Snort-users] BPF Question

rmkml rmkml at ...1855...
Thu Mar 8 02:55:51 EST 2012


Hi Larry,

ok removed a extra "not" on your bpf example
+ changed style
+ it's not >1024, it's >1023
+ replace many "and" to "or", can you test please?

(
     not host (10.200.129.220 or 10.200.48.26 or 10.200.128.60 or 10.200.22.12)
  and not net (10.252.0.0/16 or 10.199.0.0/16 or 10.176.0.0/24 or 10.176.1.0/24 or 10.176.2.0/24 or 10.175.0.0/24)
  and (( tcp[2:2] > 1023 ) or ( tcp[1:1] > 1023))
)

Regards
Rmkml

On Wed, 7 Mar 2012, eltra1n wrote:

> Hello -
>
> I am loading the following BPF file in Snort.conf
>
> ((src || dst host ! (10.200.129.220 and 10.200.48.26 and 10.200.128.60
> and not 10.200.22.12) && src || dst net ! (10.252.0.0/16 and
> 10.199.0.0/16 and 10.176.0.0/24 and 10.176.1.0/24 and 10.176.2.0/24
> and 10.175.0.0/24) && tcp[2:2] > 1024 || tcp[1:1] > 1024))
>
> I just want to look at TCP highports and ignore some networks and hosts
>
> I am also loading perfmon:
>
> preprocessor perfmonitor: \
> #preprocessor perfmonitor: time 30 flow-ip flow-ip-file
> flow-ip-stats.csv pktcnt 1000
>
> In the flow-ip-stats.csv I see traffic to and from 10.252.0.0/16  (in
> my BPF file).
>
> I thought this would have been filtered. Is my BPF syntax wrong?
>
> Thanks,
> Larry
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list