[Snort-users] BPF filter syntax

Joel Esler jesler at ...1935...
Thu Feb 28 23:04:17 EST 2013


I'd probably include the IP in question in the bpf for that particular port, that way you aren't ignoring ALL traffic on that port.  Just from your one host.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Thursday, February 28, 2013 at 7:48 PM, Eric G wrote:

> After lurking on this list for many moons and occasionally reply to some questions and threads I finally have my own question to post.
> I have a particular sensor whose CPU keeps spiking out at 1am. I'm trying to write a BPF filter to filter out the backup traffic, on tcp port 13724. Honestly it's not a big deal if the BPF filter matches on other traffic that happens to use that port (as a source port for example), I'm really just trying to finally solve this problem first and tune the filter later.
> Is !(port 13724) the correct syntax for the filter? Should I match on a NOT or match on the traffic I'm trying to filter out?
> Thanks guys,
> Eric
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net (mailto:Snort-users at lists.sourceforge.net)
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news! 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130228/2e99e865/attachment.html>


More information about the Snort-users mailing list