[Snort-users] BPF filter syntax
eric at ...15503...
Thu Feb 28 19:48:15 EST 2013
After lurking on this list for many moons and occasionally reply to some
questions and threads I finally have my own question to post.
I have a particular sensor whose CPU keeps spiking out at 1am. I'm trying
to write a BPF filter to filter out the backup traffic, on tcp port 13724.
Honestly it's not a big deal if the BPF filter matches on other traffic
that happens to use that port (as a source port for example), I'm really
just trying to finally solve this problem first and tune the filter later.
Is !(port 13724) the correct syntax for the filter? Should I match on a NOT
or match on the traffic I'm trying to filter out?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users