[Snort-users] BPF problem

James Lay jlay at ...13475...
Fri Jul 11 13:43:52 EDT 2014

On 2014-07-11 11:34, Mike Patterson wrote:
> Following up to myself: I’ve tried various permutations of my BPF
> filter to no avail. I tried Snort versions (which is what’s 
> on
> my old sensor),, and Always, Snort says it’s reading
> my BPF filter, and always, it’s including alerts for IPs and networks
> that are in the filter.
> My current filter is of the form:
> not (net or not net or not
> I tried a very simple filter - not net - and no joy 
> either.
> I know that the sensor is not simply looking inside GRE tunnels, like
> Robert was seeing - verified with tcpdump and one of our network
> engineers.
> The only substantial difference between these platforms is the one
> with functional BPF filters is built on an Endace DAG, and the other
> is built on an Intel X520 with PF_RING+DNA.
> I verified that tcpdump (built against libpcap that comes with
> PF_RING) does accept my filter. I verified that Snort is using that
> same libpcap.
> I’m not sure what else to try here. Any suggestions? I can tell
> barnyard2 to ignore alerts for the IPs I’d like to ignore, but it
> would be nice to save Snort the overhead in processing them (and my
> disk space).
> Mike

Please copy and paste an alert example.


More information about the Snort-users mailing list