Peter the rules listed are kernel hash filters added by the DAQ module (you can disable them with --daq-var no-kernel-filters) every time snort emits a verdict, in order to reduce the amount of traffic it has to analyze. Those rules are automatically removed when idle for more than 5 minutes (you can change the default with --daq-var kernel-filters-idle-timeout=<seconds>)
Regards Alfredo On Jul 11, 2012, at 12:39 PM, Peter Bates wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hello again all > > On 11/07/2012 10:46, Alfredo Cardigliano wrote: >> the BPF filter is not counted as "Sw Filt. Rules" (this only >> includes wildcard and hash rules) > >> BPF Filtering : Enabled # Sw Filt. Rules : 17176 # Hw Filt. >> Rules : 0 > > Okay, so what are the 17176 rules listed? > Is this the action of the clustering hashing the packets to the > different instances? > > - -- > Peter Bates > Senior Computer Security Officer Phone: +44(0)2076792049 > Information Services Division Internal Ext: 32049 > University College London > London WC1E 6BT > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJP/VfGAAoJELhVoVpEMS6RvxAH/RakX+LbYrzy26eYeZSXDc7s > sLDosX2v7E1+C6xn8pXvce91mGqml+niZbK+XJyERMEF+kicD/VGWPML1KsVvEDn > FATw4lKrzO3hdKEjvjqga0M5QOM99G1GVdJ6JI+agwBszfBASfobjkBs7L+NhTlU > mEi3pox0JnN9qGeZ3g6JW1zGur2nkGKQu1H4Dlfa014XHQNnTAgahgSrHTRnAoRX > uzK6A2khtssQFPx0X9m/2GjOADc//8xxpt/swhy9nDKmChf3npfcQe36FldCYMdf > 7w2lg4uepYJUFGeik4sXv65pkQjx1yGhc4CSoeNz9IdtmpJtmq9N05qd3y6LAdI= > =RwA7 > -----END PGP SIGNATURE----- > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
