<div dir="ltr">snort-2.9.4 with libpcap 1.3.0.  And you're right, running 'tcpdump -i <iface> -vvnn src host 10.10.1.1' doesn't return anything but the alerts keep getting logged.  Why is that?!<div><br>

</div><div style>Cheers,</div><div style><br></div><div style>MA</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <span dir="ltr"><<a href="mailto:rmkml@...843.....1855..." target="_blank">rmkml@...1855...</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><table cellspacing="0" cellpadding="0" border="0"><tbody><tr><td valign="top" style="font:inherit"><p>Thx, Im curious what is your snort version please ?<br>


Maybe you have vlan ?<br>
For example can you write network trafic with tcpdump like and replay file on tcpdump + snort with bpf ?<br>
Do you have same pb if you add bpf instructions on snort cmd line ?<br>
Regards<span class="HOEnZb"><font color="#888888"><br>
Rmkml</font></span></p>
</td></tr></tbody></table>            <div>
                <div>
                    <br><div class="hm HOEnZb">
                    </div><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div class="hm HOEnZb">
                        <font face="Tahoma">
                            <hr size="1">
                            <b>
                                <span style="font-weight:bold">From:</span>
                            </b>
                            Miguel Alvarez <<a href="mailto:miguellvrz9@...11827..." target="_blank">miguellvrz9@...11827...</a>>;                            <br>
                            <b>
                                <span>To:</span>
                            </b>
                            rmkml <<a href="mailto:rmkml@...1855..." target="_blank">rmkml@...1855...</a>>;                                                     <br>
                            <b>
                                <span>Cc:</span>
                            </b>
                            Snort Users <<a href="mailto:snort-users@...2902...ists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a>>;                                                                             <br>


                            <b>
                                <span>Subject:</span>
                            </b>
                            Re: [Snort-users] What is the correct syntax for bpf_file?                            <br>
                            <b>
                                <span style="font-weight:bold">Sent:</span>
                            </b>
                            Tue, Jan 29, 2013 4:59:20 PM                            <br>
                            </font></div><div><div class="h5">
                            <br>
                            <table cellspacing="0" cellpadding="0" border="0">
                                <tbody>
                                    <tr>
                                        <td valign="top" style="font:inherit"><div dir="ltr">Thanks for the reply.  I just have one line just to test:<div><br></div><div>not src host (10.10.1.1)<br></div><div><br></div><div>

But it's still triggering alerts after restarting snort.</div>

<div><br></div><div>01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} <a rel="nofollow" href="http://10.10.1.1:39944" target="_blank">10.10.1.1:39944</a> -> <a rel="nofollow" href="http://10.42.1.0:3306" target="_blank">10.42.1.0:3306</a><br>



</div><div><br></div><div>Any ideas?  I am very familiar with bpf syntax and use it on the command line with tcpdump all the time so this is very confusing!</div><div><br></div><div>Thank you,</div>

<div><br></div><div>MA</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jan 29, 2013 at 5:44 PM, rmkml <span dir="ltr"><<a rel="nofollow">rmkml@...1855...</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Miguel,<br>
Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'<br>
Regards<span><font color="#888888"><br>
Rmkml</font></span><div><div><br>
<br>
<br>
<br>
On Tue, 29 Jan 2013, Miguel Alvarez wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have a list of my nessus scanners in my /etc/snort/bpf_file but they're still triggering alerts.  I've got them listed in the following syntax for example:<br>
not (src host 10.10.1.1) &&<br>
not (src host 10.10.1.2) &&<br>
not (src host 10.10.1.3)<br>
<br>
And my snort process is pointing to it:<br>
<br>
/usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth6 -F /etc/snort/bpf_file<br>
<br>
And it shows up in the syslog when snorts starts:<br>
<br>
Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file: /etc/snort/bpf_file<br>
Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host 10.10.1.1) &&<br>
not (src host 10.10.1.2) &&<br>
not (src host 10.10.1.3)<br>
<br>
But the alerts keep streaming in (not just this alert):<br>
<br>
01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} <a rel="nofollow" href="http://10.10.1.1:49870" target="_blank">10.10.1.1:49870</a> -> <a rel="nofollow" href="http://10.10.1.43:22" target="_blank">10.10.1.43:22</a><br>




<br>
This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?<br>
<br>
Thank you!<br>
<br>
MA<br>
<br>
</blockquote>
</div></div></blockquote></div><br></div>
</td>
                                    </tr>
                                </tbody>
                            </table>
                    </div></div></div>
                </div>
            </div>
</blockquote></div><br></div>