Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 1.8.7b6 not listen to BPF filters

From: "Andrew R. Baker" <andrewb () snort org>
Date: Fri, 19 Jul 2002 16:28:46 -0400
Michael Scheidell wrote:

Ok, had to try.  :)



/usr/local/bin/snort -doDI -m 022 -z \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
not src host 10.1.1.10


does not record tcp attacks.


Ok, correct me if I'm wrong:  But that's what you want, right?
If that's the case then it the failure must be in the -F option.



source of attack was 216.241.67.74.  Destination was 10.1.1.10

If I do this from .74:

lynx http://scanner.secnap.net/scripts/cmd-exe?dir+c../../c

WITHOUT BPF filter, it loggs attack.

If I do it WITH bpf filter, it ignores it (and 100% of the TCP attacks
worldwide)

didn't used to do that, used to work

bpf filter is not new!



Ping thought, but does TCPdump show the same behavior when passing it a 'file'
of filters?



snort fails if I have not src host on command line at end as well as -F
option.
Try running Snort without the "-z" commandline option. You are telling Snort to ignore packets that are not part of an established session, but are only letting it see half the conversation you want to see alerts for. 

-A








-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: