Snort mailing list archives
Re: Correct bpf_file syntax?
From: JJC <cummingsj () gmail com>
Date: Tue, 21 Feb 2012 16:38:28 -0700
Running any vlan tagging etc? Possible to get a pcap? JJC On Tue, Feb 21, 2012 at 4:27 PM, Miguel Alvarez <miguellvrz9 () gmail com>wrote:
I am receiving many alerts that are a FP in my environment and I'm trying to determine the correct syntax for my bpf_file but nothing that I've tried seems to be working. This is the alert: 02/21-22:55:39.442989 [**] [3:13667:11] BAD-TRAFFIC dns cache poisoning attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 10.1.6.1:53 -> 10.21.2.23:45498 02/21-22:55:42.154344 [**] [3:13667:11] BAD-TRAFFIC dns cache poisoning attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 10.1.6.1:53 -> 10.21.2.21:46966 I've tried the following one by one (that is, not all at the same time) but none seem to work: not src host 10.1.6.1 !(src host 10.1.6.1) not (src host 10.1.6.1 and dst net 10.21.2.0/24) not (udp and src host 10.1.6.1 and src port 53 and dst net 10.21.2.0/24) It makes me realise that I'm not very proficient with this so can someone please tell me what would be the correct syntax? And if there is an online reference for this, I would love to know what it might be. Thank you ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Correct bpf_file syntax? Miguel Alvarez (Feb 21)
- Re: Correct bpf_file syntax? JJC (Feb 21)
- Re: Correct bpf_file syntax? Richard Bejtlich (Feb 22)