Re: Re : Re: What is the correct syntax for bpf_file?

[Miguel Alvarez <miguellvrz9 () gmail com>]

snort-2.9.4 with libpcap 1.3.0.  And you're right, running 'tcpdump -i
<iface> -vvnn src host 10.10.1.1' doesn't return anything but the alerts
keep getting logged.  Why is that?!

Cheers,

MA


On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <rmkml () yahoo fr> wrote:

> Thx, Im curious what is your snort version please ?
> Maybe you have vlan ?
> For example can you write network trafic with tcpdump like and replay file
> on tcpdump + snort with bpf ?
> Do you have same pb if you add bpf instructions on snort cmd line ?
> Regards
> Rmkml
>
>  ------------------------------
> * From: * Miguel Alvarez <miguellvrz9 () gmail com>;
> * To: * rmkml <rmkml () yahoo fr>;
> * Cc: * Snort Users <snort-users () lists sourceforge net>;
> * Subject: * Re: [Snort-users] What is the correct syntax for bpf_file?
> * Sent: * Tue, Jan 29, 2013 4:59:20 PM
>
>   Thanks for the reply.  I just have one line just to test:
>
> not src host (10.10.1.1)
>
> But it's still triggering alerts after restarting snort.
>
> 01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound to
> mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority:
> 2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306
>
> Any ideas?  I am very familiar with bpf syntax and use it on the command
> line with tcpdump all the time so this is very confusing!
>
> Thank you,
>
> MA
>
>
> On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml () yahoo fr> wrote:
>
> > Hi Miguel,
> > Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'
> > Regards
> > Rmkml
> >
> >
> >
> >
> > On Tue, 29 Jan 2013, Miguel Alvarez wrote:
> >
> >  I have a list of my nessus scanners in my /etc/snort/bpf_file but
> > > they're still triggering alerts.  I've got them listed in the following
> > > syntax for example:
> > > not (src host 10.10.1.1) &&
> > > not (src host 10.10.1.2) &&
> > > not (src host 10.10.1.3)
> > >
> > > And my snort process is pointing to it:
> > >
> > > /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l
> > > /var/log/snort/eth6 -F /etc/snort/bpf_file
> > >
> > > And it shows up in the syslog when snorts starts:
> > >
> > > Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:
> > > /etc/snort/bpf_file
> > > Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host
> > > 10.10.1.1) &&
> > > not (src host 10.10.1.2) &&
> > > not (src host 10.10.1.3)
> > >
> > > But the alerts keep streaming in (not just this alert):
> > >
> > > 01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan
> > > OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
> > > {TCP} 10.10.1.1:49870 -> 10.10.1.43:22
> > >
> > > This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?
> > >
> > > Thank you!
> > >
> > > MA
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!