Re: Correct bpf_file syntax?

[Richard Bejtlich <taosecurity () gmail com>]

Hello,

Have you tried running tcpdump with the -d flag and your various BPFs to
see how they are rendered in code?

Richard

On Tuesday, February 21, 2012, Miguel Alvarez wrote:

> I am receiving many alerts that are a FP in my environment and I'm
> trying to determine the correct syntax for my bpf_file but nothing
> that I've tried seems to be working.  This is the alert:
>
> 02/21-22:55:39.442989  [**] [3:13667:11] BAD-TRAFFIC dns cache
> poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
> {UDP} 10.1.6.1:53 -> 10.21.2.23:45498
> 02/21-22:55:42.154344  [**] [3:13667:11] BAD-TRAFFIC dns cache
> poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
> {UDP} 10.1.6.1:53 -> 10.21.2.21:46966
>
> I've tried the following one by one (that is, not all at the same
> time) but none seem to work:
>
> not src host 10.1.6.1
> !(src host 10.1.6.1)
> not (src host 10.1.6.1 and dst net 10.21.2.0/24)
> not (udp and src host 10.1.6.1 and src port 53 and dst net 10.21.2.0/24)
>
> It makes me realise that I'm not very proficient with this so can
> someone please tell me what would be the correct syntax?  And if there
> is an online reference for this, I would love to know what it might
> be.
>
> Thank you
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net <javascript:;>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!