Snort mailing list archives
Re: BPF Question
From: rmkml <rmkml () yahoo fr>
Date: Thu, 8 Mar 2012 08:55:51 +0100 (CET)
Hi Larry,
ok removed a extra "not" on your bpf example
+ changed style
+ it's not >1024, it's >1023
+ replace many "and" to "or", can you test please?
(
not host (10.200.129.220 or 10.200.48.26 or 10.200.128.60 or 10.200.22.12)
and not net (10.252.0.0/16 or 10.199.0.0/16 or 10.176.0.0/24 or 10.176.1.0/24 or 10.176.2.0/24 or 10.175.0.0/24)
and (( tcp[2:2] > 1023 ) or ( tcp[1:1] > 1023))
)
Regards
Rmkml
On Wed, 7 Mar 2012, eltra1n wrote:
Hello - I am loading the following BPF file in Snort.conf ((src || dst host ! (10.200.129.220 and 10.200.48.26 and 10.200.128.60 and not 10.200.22.12) && src || dst net ! (10.252.0.0/16 and 10.199.0.0/16 and 10.176.0.0/24 and 10.176.1.0/24 and 10.176.2.0/24 and 10.175.0.0/24) && tcp[2:2] > 1024 || tcp[1:1] > 1024)) I just want to look at TCP highports and ignore some networks and hosts I am also loading perfmon: preprocessor perfmonitor: \ #preprocessor perfmonitor: time 30 flow-ip flow-ip-file flow-ip-stats.csv pktcnt 1000 In the flow-ip-stats.csv I see traffic to and from 10.252.0.0/16 (in my BPF file). I thought this would have been filtered. Is my BPF syntax wrong? Thanks, Larry ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- BPF Question eltra1n (Mar 07)
- Re: BPF Question rmkml (Mar 07)
- Post Snort 2.9.2.1 (Ubuntu 10.04 LTS) installation issues Randy Peif (Mar 08)
- Re: Post Snort 2.9.2.1 (Ubuntu 10.04 LTS) installation issues Heine Lysemose (Mar 08)
- Re: Post Snort 2.9.2.1 (Ubuntu 10.04 LTS) installation issues Jeremy Hoel (Mar 08)
- Re: Post Snort 2.9.2.1 (Ubuntu 10.04 LTS) installation issues Heine Lysemose (Mar 08)