Snort mailing list archives
Re: Network Variables
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 02 May 2013 08:46:56 -0600
Your filter should be the last thing, so shift that -T to in front of it. Any of the winsnort folks wanna chime in here? James On 2013-05-02 08:42, Seth Dunn wrote:
To make the command line more simple, I did this:: C:\>d:\snort\bin\snort -c d:\snort\etc\snort2.conf -i2 'not net 10.10.0.0/24' -T I get this result:: pcap DAQ configured to passive. The DAQ version does not support reload. Acquiring network traffic from "\Device\NPF_{62D05284-3337-4ED4-8151-E1D6D292691 8}". ERROR: Can't set DAQ BPF filter to ''not net 10.10.0.0/24' -T' (╠πQ)! Fatal Error, Quitting.. -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Thursday, May 02, 2013 10:31 AM To: Snort Subject: Re: [Snort-users] Network Variables This worked like a champ for me: [08:19:26 me@box:~/snort$ sudo snort -c snort.conf 'not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80' Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! <snip> Decoding Ethernet --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.4.6 GRE (Build 73) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.17 <Build 18> Preprocessor Object: SF_SDF Version 1.1 <Build 1> <snip> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Commencing packet processing (pid=28871) James On 2013-05-02 08:16, Seth Dunn wrote:Same. It doesn't matter if the call is using the .conf file, or through the -F command line switch -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Thursday, May 02, 2013 10:12 AM To: Snort Subject: Re: [Snort-users] Network Variables What happens when you try it via command line? On 2013-05-02 08:09, Seth Dunn wrote:Also of note. It seems that if snort starts with a bpf file configured....then for whatever reason, all traffic is no longer monitored, even though snort has started. So while this rule:: not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80 is pretty specific..... I have another rule set in my local.rules file that should alert on any FTP attempt to IP 10.76.65.1....and if the bpf file is configured for snort, then the attempt is not alerted by snort. If I remove the bpf file from being used, then any FTP attempt is again alerted. FROM: James Lay [mailto:jlay () slave-tothe-box net] SENT: Thursday, May 02, 2013 8:10 AM TO: Snort SUBJECT: Re: [Snort-users] Network Variables Quotation marks may be needed…try appending via command line as well. James On May 2, 2013, at 5:50 AM, Seth Dunn <seth () d2ms com [1]> wrote: What is DAQ? I have seen that, but have no idea what that is. As far as my bpf file goes, if it is like this:: #not net 10.10.0.0/24 and not net 10.30.0.0/24 not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80 It will fail with:: Reading filter from bpf file: D:Snortetcignore2.bpf ERROR: short read D:Snortetcignore2.bpf (169 != 170) Fatal Error, Quitting.. If I remove the commented line, then snort starts fine. If I try to have multiple lines in the file, (all being rules, no comments) the it will fail with a similar error as above. I have never seen a DAQ error. FROM: Russ Combs [mailto:rcombs () sourcefire com [2]] SENT: Thursday, May 02, 2013 12:08 AM TO: waldo kitty CC: snort-users () lists sourceforge net [3] SUBJECT: Re: [Snort-users] Network Variables Snort does allow comments in the BPF file, starting with # to end of line. If there is a syntax error, you should see something like: ERROR: Can't set DAQ BPF filter to ' ... ' (pcap_daq_set_filter: pcap_compile: syntax error)! Fatal Error, Quitting.. What DAQ are you using? Please send the BPF file that fails and the error that you get. On Wed, May 1, 2013 at 10:07 PM, waldo kitty <wkitty42 () windstream net [4]> wrote: On 5/1/2013 13:09, Seth Dunn wrote:But any ideas why snort fails to start if I add in a '#' to commentaline??i have no clue but it sounds like a coding error not allowing comment lines i the BPF file... only joel or one of the snort dev guys can tell us that... or possibly a code diver who can root around in the snort code ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ---------------------------------------------------------------------- -------- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 [5] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net [6] Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users [7] Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [8] Please visit http://blog.snort.org [9] to stay current on all the latest Snort news! ---------------------------------------------------------------------- -------- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1____________________________________ ___________ [10] Snort-users mailing list Snort-users () lists sourceforge net [11] Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users [12] Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [13] Please visit http://blog.snort.org [14] to stay current on all the latest Snort news! Links: ------ [1] mailto:seth () d2ms com [2] http://sourcefire.com [3] mailto:snort-users () lists sourceforge net [4] mailto:wkitty42 () windstream net [5] http://p.sf.net/sfu/appdyn_d2d_ap1 [6] mailto:Snort-users () lists sourceforge net [7] https://lists.sourceforge.net/lists/listinfo/snort-users [8] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [9] http://blog.snort.org [10] http://p.sf.net/sfu/appdyn_d2d_ap1____________________________________ ___________ [11] mailto:Snort-users () lists sourceforge net [12] https://lists.sourceforge.net/lists/listinfo/snort-users [13] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [14] http://blog.snort.org------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Network Variables, (continued)
- Re: Network Variables Russ Combs (May 01)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables James Lay (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables James Lay (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables James Lay (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables James Lay (May 02)
- Re: Network Variables Castle, Shane (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables James Lay (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables Castle, Shane (May 02)
- Re: Network Variables seth (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables Seth Dunn (May 02)
- Re: Network Variables beenph (May 02)