Hi, ALL;
I'm running snort-2.6 on some RHEL AS4 boxes; using BASE-1.3.6 as a web frontend.
Days before, I added some BPF filters to avoid alerts from known IPs:
Code:
[admin /home/sight]$ cat etc/bsd.pf
not (src net 111.108.16) and not (src net 222.108) and not (src host 161.171.181.191)
[admin /home/sight]$ ps -ef |grep snort
nobody 5023 1 0 Jun19 ? 00:05:02 bin/snort -N -D -i eth0 -g nobody -u nobody -F etc/bsd.pf -c etc/snort.conf
After restarting snort, I found that the web interface takes these newly added BPF filters as new sensors:
Code:
sensor.ID -- sensor-name -----------
64 145.145.145.15:eth0:not (src net 111.108.16) and not (src net 222.181) and not (src host 161.171.181.191) 3 1 2 1 2007-06-18 2007-06-19
I think this may be caused by snort itself.
I'm just wandering why will snort take these BFP filters as new sensor entry, and how can I avoid this?
thanks for any hint.