Snort mailing list archives
Re: BPF problem
From: Mike Patterson <mike.patterson () uwaterloo ca>
Date: Wed, 16 Jul 2014 15:35:49 +0000
Nope, not VLAN tagging. I’ll look at the possibility it’s the DNA DAQ. Mike On Jul 16, 2014, at 10:42 AM, elof () sentor se wrote:
Hi Mike! Jumping in here even though I haven't read the full thread. Is some of the sniffed traffic VLAN-tagged and some not? (This is a common and painful problem with SPAN on e.g. HP procurve switches.) Perhaps you are filtering out all plain (untagged) traffic for net 10.0.0.0/23, while tagged packets aren't filtered, and therefore processed by snort as usual? You can test this theory by running: tcpdump -nl vlan and net 10.0.0.0/23 If you see traffic, you have 10.0.0.0/23-traffic that is tagged. To remove it, remove the vlan-tag from the SPAN (best solution) or extend your bpf filter to also filter out tagged net 10.0.0.0/23: not net 10.0.0.0/23 and not (vlan and not net 10.0.0.0/23) (note that using bpf filters, and more so complex ones, will have negative performance impact) /Elof On Fri, 11 Jul 2014, Mike Patterson wrote:On Jul 11, 2014, at 2:14 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-11 12:05, Mike Patterson wrote:On Jul 11, 2014, at 2:00 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-11 11:55, Mike Patterson wrote:On Jul 11, 2014, at 1:49 PM, waldo kitty <wkitty42 () windstream net> wrote:On 7/11/2014 1:34 PM, Mike Patterson wrote:Following up to myself: I’ve tried various permutations of my BPF filter to no avail. I tried Snort versions 2.9.5.3 (which is what’s on my old sensor), 2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading my BPF filter, and always, it’s including alerts for IPs and networks that are in the filter. My current filter is of the form: not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)this may not be related to your problem but i can't help seeing the double negatives in the above... are you wanting to include or exclude traffic to/from 10.0.0.0/24 and 172.16.12.1? if you want to exclude traffic from them, perhaps you mean to use not (net 1.2.3.4/8 or net 10.0.0.0/24 or 172.16.12.1)That’s actually what I’m using, I just can’t transcribe properly. MikeGive: not (net 1.2.3.4/8 or net 10.0.0.0/16 or 172.16.12.1)No joy. MikeThis worked for me ok: sudo snort -i eth0 -c snort/snort.conf not net 10.0.0.0/8 You can also test just BPF ability with: sudo snort -i eth0 not net 10.0.0.0/8Sadly, not for me: sudo /usr/local/bin/snort -i dna1@0 --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive not net (my entire netblock) provides a firehose. But: Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! Snort BPF option: not net (my netblock) pfring_dna DAQ configured to passive. Acquiring network traffic from "dna1@0". --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.6.1 GRE (Build 56) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 I know that’s an older pcap version, but it’s what ships with PF_RING. Mike ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: BPF problem, (continued)
- Re: BPF problem James Lay (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem waldo kitty (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem James Lay (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem James Lay (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem elof (Jul 16)
- Re: BPF problem Mike Patterson (Jul 16)
- Re: BPF problem Mike Patterson (Jul 16)
- Re: BPF problem James Lay (Jul 11)