Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re : Re: What is the correct syntax for bpf_file?

From: Todd Wease <twease () sourcefire com>
Date: Wed, 30 Jan 2013 10:15:40 -0500
On Tue, Jan 29, 2013 at 4:05 PM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:


snort-2.9.4 with libpcap 1.3.0.  And you're right, running 'tcpdump -i <iface> -vvnn src host 10.10.1.1' doesn't 
return anything but the alerts keep getting logged.  Why is that?!

Cheers,

MA


Like Rm Kml hinted at, it may be there's vlan.  Try "vlan and src host
10.10.1.1" with tcpdump and see if you get anything.  If so, your bpf
should include vlan, e.g. "vlan and not src host 10.10.1.1".  If this
doesn't work, can you attach a short pcap of the traffic?





On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <rmkml () yahoo fr> wrote:


Thx, Im curious what is your snort version please ?
Maybe you have vlan ?
For example can you write network trafic with tcpdump like and replay file on tcpdump + snort with bpf ?
Do you have same pb if you add bpf instructions on snort cmd line ?
Regards
Rmkml


________________________________
From: Miguel Alvarez <miguellvrz9 () gmail com>;
To: rmkml <rmkml () yahoo fr>;
Cc: Snort Users <snort-users () lists sourceforge net>;
Subject: Re: [Snort-users] What is the correct syntax for bpf_file?
Sent: Tue, Jan 29, 2013 4:59:20 PM

Thanks for the reply.  I just have one line just to test:

not src host (10.10.1.1)

But it's still triggering alerts after restarting snort.

01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [**] [Classification: 
Potentially Bad Traffic] [Priority: 2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306

Any ideas?  I am very familiar with bpf syntax and use it on the command line with tcpdump all the time so this is 
very confusing!

Thank you,

MA


On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml () yahoo fr> wrote:


Hi Miguel,
Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'
Regards
Rmkml




On Tue, 29 Jan 2013, Miguel Alvarez wrote:


I have a list of my nessus scanners in my /etc/snort/bpf_file but they're still triggering alerts.  I've got them 
listed in the following syntax for example:
not (src host 10.10.1.1) &&
not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

And my snort process is pointing to it:

/usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth6 -F /etc/snort/bpf_file

And it shows up in the syslog when snorts starts:

Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file: /etc/snort/bpf_file
Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host 10.10.1.1) &&
not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

But the alerts keep streaming in (not just this alert):

01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted 
Information Leak] [Priority: 2] {TCP} 10.10.1.1:49870 -> 10.10.1.43:22

This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?

Thank you!

MA





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: