Snort mailing list archives
Re: Re : Re: What is the correct syntax for bpf_file?
From: Miguel Alvarez <miguellvrz9 () gmail com>
Date: Wed, 30 Jan 2013 18:17:38 +0100
Thank you, Todd -- that was it! I thought I was going crazy! :-) Thanks again guys, MA On Wed, Jan 30, 2013 at 4:15 PM, Todd Wease <twease () sourcefire com> wrote:
On Tue, Jan 29, 2013 at 4:05 PM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:snort-2.9.4 with libpcap 1.3.0. And you're right, running 'tcpdump -i<iface> -vvnn src host 10.10.1.1' doesn't return anything but the alerts keep getting logged. Why is that?!Cheers, MALike Rm Kml hinted at, it may be there's vlan. Try "vlan and src host 10.10.1.1" with tcpdump and see if you get anything. If so, your bpf should include vlan, e.g. "vlan and not src host 10.10.1.1". If this doesn't work, can you attach a short pcap of the traffic?On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <rmkml () yahoo fr> wrote:Thx, Im curious what is your snort version please ? Maybe you have vlan ? For example can you write network trafic with tcpdump like and replayfile on tcpdump + snort with bpf ?Do you have same pb if you add bpf instructions on snort cmd line ? Regards Rmkml ________________________________ From: Miguel Alvarez <miguellvrz9 () gmail com>; To: rmkml <rmkml () yahoo fr>; Cc: Snort Users <snort-users () lists sourceforge net>; Subject: Re: [Snort-users] What is the correct syntax for bpf_file? Sent: Tue, Jan 29, 2013 4:59:20 PM Thanks for the reply. I just have one line just to test: not src host (10.10.1.1) But it's still triggering alerts after restarting snort. 01/29-16:56:07.106637 [**] [1:2010937:2] ET POLICY Suspicious inboundto mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306Any ideas? I am very familiar with bpf syntax and use it on thecommand line with tcpdump all the time so this is very confusing!Thank you, MA On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml () yahoo fr> wrote:Hi Miguel, Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or10.10.1.3)'Regards Rmkml On Tue, 29 Jan 2013, Miguel Alvarez wrote:I have a list of my nessus scanners in my /etc/snort/bpf_file butthey're still triggering alerts. I've got them listed in the following syntax for example:not (src host 10.10.1.1) && not (src host 10.10.1.2) && not (src host 10.10.1.3) And my snort process is pointing to it: /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf-l /var/log/snort/eth6 -F /etc/snort/bpf_fileAnd it shows up in the syslog when snorts starts: Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:/etc/snort/bpf_fileJan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host10.10.1.1) &¬ (src host 10.10.1.2) && not (src host 10.10.1.3) But the alerts keep streaming in (not just this alert): 01/29-16:36:28.235294 [**] [1:2003068:6] ET SCAN Potential SSH ScanOUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.10.1.1:49870 -> 10.10.1.43:22This is snort 2.9.4.0 on CentOS 5.x. What am I doing wrong? Thank you! MA
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re : Re: What is the correct syntax for bpf_file? Rm Kml (Jan 29)
- Re: Re : Re: What is the correct syntax for bpf_file? Miguel Alvarez (Jan 29)
- Re: Re : Re: What is the correct syntax for bpf_file? Todd Wease (Jan 30)
- Re: Re : Re: What is the correct syntax for bpf_file? Miguel Alvarez (Jan 30)
- Re: Re : Re: What is the correct syntax for bpf_file? Todd Wease (Jan 30)
- Re: Re : Re: What is the correct syntax for bpf_file? Miguel Alvarez (Jan 29)