[Snort-users] Query on Snort BPF

setests setests setests at ...11827...
Sun Feb 5 01:58:05 EST 2017


Hi

If I have a filter like this for snort, which gets loaded with the -F
switch.  Why would snort alert for the IP 172.16.10.37 ?  The snort version
I am currently running is 2.9.9.0.

Is my BPF flawed somehow.

not ((udp and port 6000) or (udp and port 7000) or (tcp and port 3389) or
host 172.16.10.37 or host 172.17.38.5 or host 172.18.10.62 or host
172.18.38.24 or net 50.76.0.0/14 or net 60.112.0.0/13 or net 70.120.0.0/14
or net 80.74.0.0/15 or net 90.124.0.0/16 or net 50.125.0.0/17 or net
50.96.0.0/12 or net 50.80.0.0/12 or net 122.245.0.0/16 or net 127.116.0.0/16
or net 127.54.0.0/15 or net 127.60.0.0/16 or net 127.56.0.0/14 or net
84.112.184.0/22)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170205/427a11e1/attachment.html>


More information about the Snort-users mailing list