Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re : Re: What is the correct syntax for bpf_file?

From: Miguel Alvarez <miguellvrz9 () gmail com>
Date: Wed, 30 Jan 2013 18:17:38 +0100
Thank you, Todd -- that was it!  I thought I was going crazy! :-)

Thanks again guys,

MA



On Wed, Jan 30, 2013 at 4:15 PM, Todd Wease <twease () sourcefire com> wrote:


On Tue, Jan 29, 2013 at 4:05 PM, Miguel Alvarez <miguellvrz9 () gmail com>
wrote:


snort-2.9.4 with libpcap 1.3.0.  And you're right, running 'tcpdump -i

<iface> -vvnn src host 10.10.1.1' doesn't return anything but the alerts
keep getting logged.  Why is that?!


Cheers,

MA


Like Rm Kml hinted at, it may be there's vlan.  Try "vlan and src host
10.10.1.1" with tcpdump and see if you get anything.  If so, your bpf
should include vlan, e.g. "vlan and not src host 10.10.1.1".  If this
doesn't work, can you attach a short pcap of the traffic?





On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <rmkml () yahoo fr> wrote:


Thx, Im curious what is your snort version please ?
Maybe you have vlan ?
For example can you write network trafic with tcpdump like and replay

file on tcpdump + snort with bpf ?

Do you have same pb if you add bpf instructions on snort cmd line ?
Regards
Rmkml


________________________________
From: Miguel Alvarez <miguellvrz9 () gmail com>;
To: rmkml <rmkml () yahoo fr>;
Cc: Snort Users <snort-users () lists sourceforge net>;
Subject: Re: [Snort-users] What is the correct syntax for bpf_file?
Sent: Tue, Jan 29, 2013 4:59:20 PM

Thanks for the reply.  I just have one line just to test:

not src host (10.10.1.1)

But it's still triggering alerts after restarting snort.

01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound

to mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306


Any ideas?  I am very familiar with bpf syntax and use it on the

command line with tcpdump all the time so this is very confusing!


Thank you,

MA


On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml () yahoo fr> wrote:


Hi Miguel,
Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or

10.10.1.3)'

Regards
Rmkml




On Tue, 29 Jan 2013, Miguel Alvarez wrote:


I have a list of my nessus scanners in my /etc/snort/bpf_file but

they're still triggering alerts.  I've got them listed in the following
syntax for example:

not (src host 10.10.1.1) &&
not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

And my snort process is pointing to it:

/usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf

-l /var/log/snort/eth6 -F /etc/snort/bpf_file


And it shows up in the syslog when snorts starts:

Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:

/etc/snort/bpf_file

Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host

10.10.1.1) &&

not (src host 10.10.1.2) &&
not (src host 10.10.1.3)

But the alerts keep streaming in (not just this alert):

01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan

OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
{TCP} 10.10.1.1:49870 -> 10.10.1.43:22


This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?

Thank you!

MA






------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: