Snort mailing list archives
Re: Snort 1.8.7b6 not listen to BPF filters
From: Michael Scheidell <scheidell () secnap net>
Date: Fri, 19 Jul 2002 15:18:29 -0400 (EDT)
Ok, had to try. :)/usr/local/bin/snort -doDI -m 022 -z \ -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \ not src host 10.1.1.10 does not record tcp attacks.Ok, correct me if I'm wrong: But that's what you want, right? If that's the case then it the failure must be in the -F option.
source of attack was 216.241.67.74. Destination was 10.1.1.10 If I do this from .74: lynx http://scanner.secnap.net/scripts/cmd-exe?dir+c../../c WITHOUT BPF filter, it loggs attack. If I do it WITH bpf filter, it ignores it (and 100% of the TCP attacks worldwide) didn't used to do that, used to work bpf filter is not new!
Ping thought, but does TCPdump show the same behavior when passing it a 'file' of filters?
snort fails if I have not src host on command line at end as well as -F option. tcpdump seems to work as expected: tcpdump -w dump.tcp -F /etc/snort/snort.bpf tcpdump: listening on rl0 tcpdump -Xnr dump.tcp 15:15:20.302802 216.241.67.74.1158 > 10.1.1.10.80: P 0:575(575) ack 1 win 17376 < nop,nop,timestamp 1545145 415943445> (DF) 0x0000 4500 0273 b808 4000 3306 5745 cf12 5c1a E..s.. () 3 WE..\. 0x0010 0a01 010a 0486 0050 3864 4e0f 0f38 d0de .......P8dN..8.. 0x0020 8018 43e0 1b89 0000 0101 080a 0017 93b9 ..C............. 0x0030 18ca cb15 4745 5420 2f73 6372 6970 7473 ....GET./scripts 0x0040 2f63 6d64 2d65 7865 3f64 6972 2b63 2e2e /cmd-exe?dir+c.. 0x0050 2f2e /. SO.... tcpdump is fine.
----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
-- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Positions available see http://www.secnap.net/employment/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.8.7b6 not listen to BPF filters Michael Boman (Jul 18)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Andreas Östling (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Andrew R. Baker (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)