[Snort-users] What is the correct syntax for bpf_file?

Miguel Alvarez miguellvrz9 at ...11827...
Tue Jan 29 11:38:54 EST 2013


I have a list of my nessus scanners in my /etc/snort/bpf_file but they're
still triggering alerts.  I've got them listed in the following syntax for
example:

not (src host 10.10.1.1) &&
not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

And my snort process is pointing to it:

/usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort/eth6 -F /etc/snort/bpf_file

And it shows up in the syslog when snorts starts:

Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:
/etc/snort/bpf_file
Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host
10.10.1.1) &&
not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

But the alerts keep streaming in (not just this alert):

01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan
OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
{TCP} 10.10.1.1:49870 -> 10.10.1.43:22

This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?

Thank you!

MA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/32af2200/attachment.html>


More information about the Snort-users mailing list