[Snort-users] What is the correct syntax for bpf_file?

rmkml rmkml at ...1855...
Tue Jan 29 11:44:11 EST 2013


Hi Miguel,
Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'
Regards
Rmkml



On Tue, 29 Jan 2013, Miguel Alvarez wrote:

> I have a list of my nessus scanners in my /etc/snort/bpf_file but they're still triggering alerts.  I've got them listed in the following syntax for example:
> not (src host 10.10.1.1) &&
> not (src host 10.10.1.2) &&
> not (src host 10.10.1.3)
> 
> And my snort process is pointing to it:
> 
> /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth6 -F /etc/snort/bpf_file
> 
> And it shows up in the syslog when snorts starts:
> 
> Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file: /etc/snort/bpf_file
> Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host 10.10.1.1) &&
> not (src host 10.10.1.2) &&
> not (src host 10.10.1.3)
> 
> But the alerts keep streaming in (not just this alert):
> 
> 01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.10.1.1:49870 -> 10.10.1.43:22
> 
> This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?
> 
> Thank you!
> 
> MA
> 
>


More information about the Snort-users mailing list