[Snort-users] What is the correct syntax for bpf_file?

Miguel Alvarez miguellvrz9 at ...11827...
Tue Jan 29 11:38:54 EST 2013

I have a list of my nessus scanners in my /etc/snort/bpf_file but they're
still triggering alerts.  I've got them listed in the following syntax for

not (src host &&
not (src host &&
not (src host

And my snort process is pointing to it:

/usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort/eth6 -F /etc/snort/bpf_file

And it shows up in the syslog when snorts starts:

Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:
Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host &&
not (src host &&
not (src host

But the alerts keep streaming in (not just this alert):

01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan
OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
{TCP} ->

This is snort on CentOS 5.x.  What am I doing wrong?

Thank you!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/32af2200/attachment.html>

More information about the Snort-users mailing list