I'm running Snort 2.4.5 (the pkg) on OpenBSD 4.0 and I use a bpf filter file to have Snort ignore certain hosts altogether.
The command I'm using is 'snort -D -i dc1 -F bpfile' When I have the single line of- not host 192.168.1.69 Snort runs fine. But when I lengthen the bpf filter file to- not host 192.168.1.69 and not host 10.1.1.1 and not host 4.2.2.2 ... 60 more addresses ... and not host 6.6.6.6 Snort chokes with the following error- snort: FATAL ERROR: OpenPcap() setfilter: BIOCSETF: Invalid argument The BPF file I'm using is one I pulled from another snort installation I have running on -gasp- Fedora (I mention this because it has no problems parsing the same file.) Is there a way to have multiple entries in the BPF file that I'm missing... am I using the wrong syntax (is there an alternative to 'and not host' that I need to use)? Dan Farrell Applied Innovations [EMAIL PROTECTED]
