Q: How do I put a bpf filter on a detection engine?

A:

• On the IS, create a file containing your bpf. This could be called /etc/sf/snort.bpf. This file can have multiple bpfs on one line. Comments are also allowed with the # sign. not net 192.168.0.0/16 and not port 80
• Edit /var/sf/detection_engines/{crazynumber}/user.conf. This file should be blank, and you will need to add the following line to the file: config bpf_file: /etc/sf/snort.bpf
• Restart the sensor software: /etc/rc.d/init.d/sensor restart

Once these files have been created, you can just copy the user.conf and snort.bpf files into place on your other sensors and detection engines and restart the sensor software to configure the rest of the machines. There is no way to verify that this is working other than checking your events. Snort will not start if there is a syntax error. This can be monitored from /var/log/messages.

Q: Why am I getting CPU 100% alerts every night from the IS?

A:

It's happening because of the tape backups. They produce a lot of traffic. If you don't want to inspect all of this traffic, you can put a bpf (filter) on the detection engine on each IS.