Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Correct bpf_file syntax?

From: JJC <cummingsj () gmail com>
Date: Tue, 21 Feb 2012 16:38:28 -0700
Running any vlan tagging etc?  Possible to get a pcap?

JJC

On Tue, Feb 21, 2012 at 4:27 PM, Miguel Alvarez <miguellvrz9 () gmail com>wrote:


I am receiving many alerts that are a FP in my environment and I'm
trying to determine the correct syntax for my bpf_file but nothing
that I've tried seems to be working.  This is the alert:

02/21-22:55:39.442989  [**] [3:13667:11] BAD-TRAFFIC dns cache
poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
{UDP} 10.1.6.1:53 -> 10.21.2.23:45498
02/21-22:55:42.154344  [**] [3:13667:11] BAD-TRAFFIC dns cache
poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
{UDP} 10.1.6.1:53 -> 10.21.2.21:46966

I've tried the following one by one (that is, not all at the same
time) but none seem to work:

not src host 10.1.6.1
!(src host 10.1.6.1)
not (src host 10.1.6.1 and dst net 10.21.2.0/24)
not (udp and src host 10.1.6.1 and src port 53 and dst net 10.21.2.0/24)

It makes me realise that I'm not very proficient with this so can
someone please tell me what would be the correct syntax?  And if there
is an online reference for this, I would love to know what it might
be.

Thank you


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: