[Snort-users] BPF problem

Mike Patterson mike.patterson at ...16895...
Fri Jul 11 14:05:11 EDT 2014


On Jul 11, 2014, at 2:00 PM, James Lay <jlay at ...13475...> wrote:

> On 2014-07-11 11:55, Mike Patterson wrote:
>> On Jul 11, 2014, at 1:49 PM, waldo kitty <wkitty42 at ...14940...> 
>> wrote:
>> 
>>> On 7/11/2014 1:34 PM, Mike Patterson wrote:
>>>> Following up to myself: I’ve tried various permutations of my BPF 
>>>> filter to
>>>> no avail. I tried Snort versions 2.9.5.3 (which is what’s on my old 
>>>> sensor),
>>>> 2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading my BPF 
>>>> filter, and
>>>> always, it’s including alerts for IPs and networks that are in the 
>>>> filter.
>>>> 
>>>> My current filter is of the form:
>>>> 
>>>> not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)
>>> 
>>> this may not be related to your problem but i can't help seeing the 
>>> double
>>> negatives in the above... are you wanting to include or exclude 
>>> traffic to/from
>>> 10.0.0.0/24 and 172.16.12.1?
>>> 
>>> if you want to exclude traffic from them, perhaps you mean to use
>>> 
>>> not (net 1.2.3.4/8 or net 10.0.0.0/24 or 172.16.12.1)
>> 
>> That’s actually what I’m using, I just can’t transcribe properly.
>> 
>> Mike
> 
> Give:
> 
> not (net 1.2.3.4/8 or net 10.0.0.0/16 or 172.16.12.1)

No joy.

Mike





More information about the Snort-users mailing list