[Snort-users] BPF Filters

James Lay jlay at ...13475...
Fri Nov 14 16:16:17 EST 2014


On 2014-11-14 14:06, Turnbough, Bradley E. wrote:
> Hi All,
>
> I've been running snort for quite a while now with no problems.  I
> would like to set up a BPF filter to ignore ESP encapsulated traffic.
>
> As a test, I created a file called snort-em1.bpf and placed the
> following rule in it:
>
> !(src net 192.168.10.0/24 && dst port 22)
>
>
> Then I attempted to start snort:
>
> /usr/sbin/snort -i em1 -u snort -g snort -c /etc/snort/snort-em1.conf
> -f /etc/snort/bpfs/snort-em1.bpf -l /var/log/snort/em1
>
> However, snort refuses to start:
>
> ERROR: Can't set DAQ BPF filter to '/etc/snort/bpfs/snort-em1.bpf'
> (pcap_daq_set_filter: pcap_compile: syntax error)!
>
>
> Can someone please help me?
>
> Brad

Quote it:

"not (src net 192.168.10.0/24 and dst port 22)"

Safe some hassle and lose as many special characters as you can.  You 
can test with:

/usr/sbin/snort -i em1 -u snort -g snort -c /etc/snort/snort-em1.conf 
/usr/sbin/snort -i em1 -u snort -g snort -c /etc/snort/snort-em1.conf 
"not (src net 192.168.10.0/24 and dst port 22)"

James




More information about the Snort-users mailing list