Snort mailing list archives
Re: Snort 1.8.7b6 not listen to BPF filters
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 19 Jul 2002 12:34:29 -0700 (PDT)
On Fri, 19 Jul 2002, Michael Scheidell wrote:
/usr/local/bin/snort -doDI -m 022 -z \ -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \ not src host 10.1.1.10
Ok, assuming this is your command line...
does not record tcp attacks.Ok, correct me if I'm wrong: But that's what you want, right? If that's the case then it the failure must be in the -F option.source of attack was 216.241.67.74. Destination was 10.1.1.10 If I do this from .74: lynx http://scanner.secnap.net/scripts/cmd-exe?dir+c../../c WITHOUT BPF filter, it loggs attack. If I do it WITH bpf filter, it ignores it (and 100% of the TCP attacks worldwide) didn't used to do that, used to work bpf filter is not new!
Nope it's not. :) But there is some parser code which is.... On the whim of an old man, try enclosing the filter in single quotes ( ' filter foo ' ) and see if that changes anything. It almost seems as if snort is reading your filter as 'not src' instead of 'not src host foo'.
snort fails if I have not src host on command line at end as well as -F option. tcpdump seems to work as expected:
Since the code for read_file (snort.c:2712) is identical to tcpdump's read_file except for closing the bpf filter file, I don't think it's in there. I'm starting to think it might be parsed odd without quotes. When I use quotes around mine, I have no issues. :-/ ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.8.7b6 not listen to BPF filters Michael Boman (Jul 18)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Andreas Östling (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Andrew R. Baker (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Erek Adams (Jul 19)
- Re: Snort 1.8.7b6 not listen to BPF filters Michael Scheidell (Jul 19)