Snort mailing list archives
Re: Snort BPF.filter doesn't work
From: Robert Millott <robm () millottandassociates com>
Date: Tue, 8 Jul 2014 14:38:49 -0400
Anyone else have any experience working with BPF Filters?I have followed all the directions I have been able to find and set up my filters, but a test rule I created continues to fire, even though the bpf filter should ignore that host entirely. Thank you On Thu, Jul 3, 2014 at 1:26 PM, Robert Millott < robm () millottandassociates com> wrote:
unfortunately, my snort install is on a non-internet connected network so I can't provide the .conf file. my command to start snort is: /usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path /etc/snort/ --nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq --daq-mode passive -i enps50f0 -F /etc/snort/bpf.filter -D snort version is 2.9.6 GRE (Build 47) host OS is 3.14.4 gentoo Thanx for the help On Thu, Jul 3, 2014 at 1:19 PM, Nicholas Mavis (nmavis) <nmavis () cisco com> wrote:Robert, Can you provide the following: 1. Copy of your snort.conf 2. The syntax in which you are starting Snort 3. What version of Snort are you using? -Nick From: Robert Millott <robm () millottandassociates com> Date: Thursday, July 3, 2014 at 1:16 PM To: nmavis <nmavis () cisco com>, snort-users < snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort BPF.filter doesn't work Nick Thanx for the suggestion. Unfortunately, same results. The startup screen shows it reads the file, but the alert keeps showing up in my logs. On Thu, Jul 3, 2014 at 1:10 PM, Nicholas Mavis (nmavis) <nmavis () cisco comwrote:Robert, Try the following without any additions: not host 192.168.1.1 -Nick From: Robert Millott <robm () millottandassociates com> Date: Thursday, July 3, 2014 at 12:14 PM To: "snort-users () lists sourceforge net" < snort-users () lists sourceforge net> Subject: [Snort-users] Snort BPF.filter doesn't work I am trying to filter some data. I created a rule in my misc.rules that I know will always fire, ie alert tcp any any -> 192.168.1.1 80 (msg:"my test rule"; sid: 60999; rev:1) That rule fires constantly whenever I go to the website at 192.168.1.1 I then create a /etc/snort/bpf.filter that contains one line !(host 192.168.1.1) I then edited snort.conf and uncomment the bfp.filter line so it reads config bpf_file: /etc/snort/bpf.filter When I run snort and watch /var/log/messages, the above alert continues to fire. I also tried using it with the command line option of -F /etc/snort/bpf.filter. This didn't work either. I also tried bpf.filter to read (not host 192.168.1.1) that didn't work either. When I start snort, I see the line that reads Snort BPF Option: !(host 192.168.1.1) and yet I still see my above test alert message in my /var/log/messages. Anyone know why the bpf.filter isn't filtering the data? -- Robert Millott President, Millott and Associates (443) 255-3588-- Robert Millott President, Millott and Associates (443) 255-3588-- Robert Millott President, Millott and Associates (443) 255-3588
-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort BPF.filter doesn't work Robert Millott (Jul 03)
- Re: Snort BPF.filter doesn't work Nicholas Mavis (nmavis) (Jul 03)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 03)
- Re: Snort BPF.filter doesn't work Nicholas Mavis (nmavis) (Jul 03)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 03)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 08)
- Re: Snort BPF.filter doesn't work Geoffrey Serrao (Jul 08)
- Re: Snort BPF.filter doesn't work James Lay (Jul 08)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work James Lay (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 03)
- Re: Snort BPF.filter doesn't work Nicholas Mavis (nmavis) (Jul 03)