BPF problem

[Mike Patterson <mike.patterson () uwaterloo ca>]

I had a look through recent posts on the list and saw other people had issues, but their solutions don’t seem to be 
mine.
The situation is I have two machines running Snort; the older one is at 2.9.5.3, the newer one is at 2.9.6.

I copied relevant pieces of config from the older install to the newer one, and I’m running them both more or less 
identically (it’s not completely identically because their hardware differs).

My problem is everything seems hunky dory on the new box, except it’s not respecting my BPF filters. On the older 
machine, I pass them on the command line: -F /etc/snort/snort-bpfexclusions.conf. On the newer one, I tried that, and 
it claims to be reading the exclusions:

Jul 10 13:31:03 snort[21071]: Reading filter from bpf file: /etc/snort/snort-bpfexclusions.conf

But it’s triggering alerts on hosts in my ranges. My exclusions looks like this, with IPs somewhat anonymized (RFC1918 
addresses are internal, others are external):

!(net 1.2.3.4/8) and !(net 10.20.0.0/23) and !(host 9.10.11.12) and !(host 9.10.11.13) and !(host 10.0.0.1) and !(host 
10.0.0.2) and !(host 10.0.0.3) and !(host 10.0.0.4) and !(host 10.0.0.5) and !(host 10.0.0.6) and !(host 10.0.0.7) and 
!(net 172.16.0.0/12) and !(net 10.50.0.0/24) and !(net 10.60.0.0/24)

All one line, of course.

When that didn’t seem to work, I uncommented and set:
config bpf_file: /etc/snort/snort-bpfexclusions.conf

Same deal.

Unlike another more recent poster, I do not believe that my sensor is seeing those IPs within a GRE tunnel - or rather, 
if it is, then *both* hosts should be firing, and the older install definitely isn’t.

I can see how well 2.9.5.3 does on the newer machine, but I’d rather not.

I’m calling snort as such:

/usr/local/bin/snort -D -u snort -g snort -F /etc/snort/snort-bpfexclusions.conf -c /etc/snort/snort.conf --pid-path 
/fsys1/snortpids --create-pidfile -y --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dna1@15 
--daq-var bindcpu=15 -l /fsys1/snort-dna-15 --perfmon-file /fsys1/snort-dna-15/snort-dna-15.stats -G 15 -l 
/fsys1/snort-dna-15

(times 16 with differing values for interface, bindcpu, etc.)

If it matters, and I don’t think it should but who knows - the older machine is built around an Endace DAG, the newer 
one on an Intel X520. The newer one seems to be otherwise behaving exactly as I’d like.

Any suggestions?

Thanks,

Mike


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!