Snort mailing list archives
Re: Correct bpf_file syntax?
From: Richard Bejtlich <taosecurity () gmail com>
Date: Wed, 22 Feb 2012 17:53:17 -0500
Hello, Have you tried running tcpdump with the -d flag and your various BPFs to see how they are rendered in code? Richard On Tuesday, February 21, 2012, Miguel Alvarez wrote:
I am receiving many alerts that are a FP in my environment and I'm trying to determine the correct syntax for my bpf_file but nothing that I've tried seems to be working. This is the alert: 02/21-22:55:39.442989 [**] [3:13667:11] BAD-TRAFFIC dns cache poisoning attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 10.1.6.1:53 -> 10.21.2.23:45498 02/21-22:55:42.154344 [**] [3:13667:11] BAD-TRAFFIC dns cache poisoning attempt [**] [Classification: Misc Attack] [Priority: 2] {UDP} 10.1.6.1:53 -> 10.21.2.21:46966 I've tried the following one by one (that is, not all at the same time) but none seem to work: not src host 10.1.6.1 !(src host 10.1.6.1) not (src host 10.1.6.1 and dst net 10.21.2.0/24) not (udp and src host 10.1.6.1 and src port 53 and dst net 10.21.2.0/24) It makes me realise that I'm not very proficient with this so can someone please tell me what would be the correct syntax? And if there is an online reference for this, I would love to know what it might be. Thank you ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:;> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Correct bpf_file syntax? Miguel Alvarez (Feb 21)
- Re: Correct bpf_file syntax? JJC (Feb 21)
- Re: Correct bpf_file syntax? Richard Bejtlich (Feb 22)