Snort mailing list archives
Re: Snort BPF.filter doesn't work
From: Robert Millott <robm () millottandassociates com>
Date: Thu, 10 Jul 2014 14:13:14 -0400
All Finally figured it out. Thanx Jeremy for leading me in the right direction. The traffic I was looking at was GRE encapsulated, so while the bpf filters were ignoring packets based on src and dst ip address, the snort rules were seeing the encapsulated data, which contained the 192.168.1.1 address snort was looking for , and that's why snort alerts were firing despite my telling it to drop those addresses. Thanx again everyone for the help. On Thu, Jul 10, 2014 at 12:38 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2014-07-10 10:25, Robert Millott wrote:I Understand about the business IP, can you clean up a single line and modify the addresses? I just want to see if there is something wrong with my syntax. My system is also off the internet, so I understand that problem. My bpf.filter has a single line in it not host 192.168.1.1 so I just wanted to see if yours had any different syntax I may be missing out on. The way I tested it was I added a snort rule to my misc.rules. The rule is alert tcp any any -> 192.168.1.1 80 (msg:"My Test Rule"; sid: 99999; rev: 1) This alert fires constantly whenever I hit the web page on 192.168.1.1. I then fired up snort, adding a -F /etc/snort/bpf.filter to the command line, and looking for alerts. I continue to get alerts on my test rule, which tells me snort isnt ignoring all my traffic to that host. Suggestions? Yea, I ve seen the pfring stuff, and debated switcching to it, but it looks like allot of effort to set up, and I was originally hoping a real simple bpf filter would do what I needed. ThanxPlease copy and past an actual alert event text. James ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort BPF.filter doesn't work, (continued)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 08)
- Re: Snort BPF.filter doesn't work Geoffrey Serrao (Jul 08)
- Re: Snort BPF.filter doesn't work James Lay (Jul 08)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work James Lay (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work waldo kitty (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 11)
- Re: Snort BPF.filter doesn't work waldo kitty (Jul 11)