[Snort-users] BPF filter syntax

Eric G eric at ...15503...
Thu Feb 28 19:48:15 EST 2013


After lurking on this list for many moons and occasionally reply to some
questions and threads I finally have my own question to post.

I have a particular sensor whose CPU keeps spiking out at 1am. I'm trying
to write a BPF filter to filter out the backup traffic, on tcp port 13724.
Honestly it's not a big deal if the BPF filter matches on other traffic
that happens to use that port (as a source port for example), I'm really
just trying to finally solve this problem first and tune the filter later.

Is !(port 13724) the correct syntax for the filter? Should I match on a NOT
or match on the traffic I'm trying to filter out?

Thanks guys,
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130228/e27f0f27/attachment.html>


More information about the Snort-users mailing list