Snort mailing list archives

Re: Maybe a problem with my bpf filters

From: "C. L. Martinez" <carlopmart () gmail com>
Date: Wed, 28 Nov 2012 13:36:23 +0000

On Wed, Nov 28, 2012 at 9:02 AM, C. L. Martinez <carlopmart () gmail com> wrote:

Hi all,

 I am seeing a lot of messages like this after my snort sensor goes up:

 Nov 27 20:28:37 newfsbd snort[29761]: S5: Session exceeded configured
max segs to queue 2621 using 2621 segs (client queue). 10.201.27.24
2627 --> 10.196.0.12 80 (0) : LWstate
0x9 LWFlags 0x406007
Nov 27 20:28:37 newfbsd snort[29761]: S5: Pruned session from cache
that was using 4294826 bytes (closed normally). 10.201.27.24 2627 -->
10.196.0.12 80 (0) : LWstate 0x9 LWFla
gs 0x60e007
Nov 27 20:30:45 newfbsd snort[29761]: S5: Pruned session from cache
that was using 1966875 bytes (closed normally). 10.196.4.5 17842 -->
10.196.0.72 25 (0) : LWstate 0x9 LWFlag
s 0x40e007
Nov 27 20:32:14 newfbsd snort[29761]: S5: Pruned session from cache
that was using 3919030 bytes (closed normally). 10.201.27.24 2682 -->
10.196.0.12 80 (0) : LWstate 0x9 LWFla
gs 0x40e007

Searching about this problem, some people points to a problem with
stream5's configruation, but I think the problem is in my bpf config
file.

I have tried to increase memcap in stream5 config and setting to 0
max_queued_bytes param, without luck. For these reasons I think the
problem is in the filter settings: snort only sees some portion of the
stream (like Russ Combs says here
http://marc.info/?l=snort-users&m=134193815409615&w=2)

My actual bpf.conf filter is:

not (tcp port 3310 or tcp port 3333 or tcp port 3600 or tcp port 3610
or tcp port 8000 or tcp port 8080 or tcp port 8100) or
not (tcp portrange 50000-50010 or tcp portrange 51000-51010)

Any idea??


Sorry, complete bpf filter is:

not (tcp port 80 or tcp port 81 or tcp port 82 or tcp port 1090 or tcp
port 3200 or tcp port 3210 or tcp port 3300) or
not (tcp port 3310 or tcp port 3333 or tcp port 3600 or tcp port 3610
or tcp port 8000 or tcp port 8080 or tcp port 8100) or
not (tcp portrange 50000-50010 or tcp portrange 51000-51010)

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Maybe a problem with my bpf filters C. L. Martinez (Nov 28)
- Re: Maybe a problem with my bpf filters C. L. Martinez (Nov 28)
  - Re: Maybe a problem with my bpf filters C. L. Martinez (Nov 29)