Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort BPF.filter doesn't work

From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 10 Jul 2014 16:37:19 +0000
sure..  my file, with some sed magic, looks like this:

not ( ip host (161.217.188.26 or 192.168.188.27 or 192.168.188.28 or
192.168.188.29 or 192.168.188.60 or 192.168.188.61 or 192.168.188.101 or
192.168.188.102 or 192.168.188.103 or 192.168.188.104 or 192.168.188.107 or
192.168.188.108 or 192.168.188.109 or 192.168.188.112 ) and ( src portrange
1025-65500 and dst portrange 1025-65500 ) )
and not ( ip host 192.168.188.10 and ip host 192.168.52.125 )
and not ( ip host 192.168.188.11 and ip host 192.168.52.129 ) and not ( ip
host 192.168.40.21 or ip host 192.168.42.36 or ip host 192.168.48.3 or ip
host 192.168.140.3 or ip host 192.168.145.14 or ip host 192.168.160.2 or ip
host 192.168.189.160 or ip host 192.168.189.161 or ip host 192.168.52.53 or
ip host 192.168.52.55 )
and not ( tcp and ( ip src 192.168.52.129 or ip src 192.168.188.10 or ip
src 192.168.188.11 ) and ip dst 192.168 )
and not ( tcp and ( ip dst 192.168.52.129 or ip dst 192.168.188.10 or ip
dst 192.168.188.11 ) and ip src 192.168 )
and not ( ( ip src 192.168 and ( ip dst 192.168.189.17 or ip dst
192.168.189.18 ) ) or ( ip dst 192.168 and ( ip src 192.168.189.17 or ip
src 192.168.189.18 ) ) )
and not ip host 192.168.52.60
and not ( ip proto 47 and host 192.168.52.1 and host 192.168.79.71 )
and not ( ip dst 192.168.59.168 and tcp port 8014 )
and not ( tcp and src 192.168 and dst 192.168 and port 10566 )
and not tcp port 902 and not tcp port 903
and not ( tcp dst port 10514 and ip host 192.168.189.102 )
and not ip host 192.168.189.137
and not ip host 192.168.188.30 and not net 192.168.62.0/24 and not ip host
10.106.140.18


And if you watch the traffic with tcpdump with the filter in there, and
then try and hit the webpage, do you see the traffic?


PF_Ring turned out to be pretty easy.  We just did it on Cent 6.5 and the
process was pretty quick.  We install the rpm, configure it and turn on the
drive, then grab the source, recompile libpcap then recompile the tools
with the new libpcap, then tell snort to change it's daq, run a few
instances and away it goes.








On Thu, Jul 10, 2014 at 4:25 PM, Robert Millott <
robm () millottandassociates com> wrote:


I Understand about the business IP, can you clean up a single line and
modify the addresses? I just want to see if there is something wrong with
my syntax.  My system is also off the internet, so I understand that
problem.  My bpf.filter has a single line in it

not host 192.168.1.1

so I just wanted to see if yours had any different syntax I may be missing
out on.


The way I tested it was I added a snort rule to my misc.rules. The rule is

alert tcp any any -> 192.168.1.1 80 (msg:"My Test Rule"; sid: 99999; rev:
1)

This alert fires constantly whenever I hit the web page on 192.168.1.1.  I
then fired up snort, adding a -F /etc/snort/bpf.filter to the command line,
and looking for alerts.  I continue to get alerts on my test rule, which
tells me snort isn't ignoring all my traffic to that host.

Suggestions?

Yea, I 've seen the pfring stuff, and debated switcching to it, but it
looks like allot of effort to set up, and I was originally hoping a real
simple bpf filter would do what I needed.

Thanx


On Thu, Jul 10, 2014 at 11:56 AM, Jeremy Hoel <jthoel () gmail com> wrote:


Well mine has a lot of our business IPs in it, so I can't share it. But
you say you are seeing traffic..  what kind?  can you post a pcap
somewhere?  There's got to be something else that is being missed.

When you put the filter in with a tcpdump command do you see the traffic?

Also, if you want to run high speed.. check out pf_ring, and then running
multiple instances of snort against the pf_ring interface.
http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/


On Thu, Jul 10, 2014 at 3:42 PM, Robert Millott <
robm () millottandassociates com> wrote:


Jeremy
  Thanx for the reply.  I stop snort, then started it again.  during all
that initial stuff, I did find the line:

Reading filter from bpf file: /etc/snort/bpf.filter
Snort BPF Options:
not host 192.168.1.1

Loading dynamic engine ...


So snort is seeing it (or at least it appears to) and yet my alerts
still include traffic to host 192.168.1.1

What does your bpf.txt look like?




On Thu, Jul 10, 2014 at 11:28 AM, Jeremy Hoel <jthoel () gmail com> wrote:


I use BPF filters with no problems.  And the traffic from that filter
gets ignored.  During snort's startup in syslog it records if it's using a
BPF or not (at least it does for us doing BPF via file).. maybe go back
through and look at your syslog and make sure it's seeing the BPF.

Jul  8 04:00:34 mibst001 snort[25704]: Reading filter from bpf file:
/etc/snort/bpf.txt

we define that in the /etc/sysconfig/snort file

BPFFILE=/etc/snort/bpf.txt

and the command line option for that is -F <path_to_file>

try that and see if it shows anything in your syslog



On Thu, Jul 10, 2014 at 2:58 PM, Robert Millott <
robm () millottandassociates com> wrote:


All
  Thanx for the replies, but still nothing seems to work.  I tried
just adding the "not host 192.168.1.1" to the end of my command line, but I
keep getting alerts.  I tried changing my bpf.filter file to "not((host
192.168.1.1) or (vlan and host 192.168.1.1))", and I still get the alerts.

Has any successfully used bpf filters?

What I am trying to accomplish is that my snort keeps dying, I think
because it is being hit with to much traffic.  Some of my links are getting
peaks of 500-600Mps.  I know snort can only handle 200-300Mps typically, so
I want to filter out some of the traffic.  My thought was to use bpf
filters to ignore certain segments of traffic (maybe all port 80 traffic),
then run a second instance of snort to handle just that port 80 traffic and
ignore all the rest.

If bpf filters is not an option, anyone else got suggestions on how to
keep snort from dying due to too much traffic?


On Tue, Jul 8, 2014 at 4:16 PM, James Lay <jlay () slave-tothe-box net>
wrote:


On 2014-07-08 12:38, Robert Millott wrote:

Anyone else have any experience working with BPF Filters?I have
followed all the directions I have been able to find and set up my
filters, but a test rule I created continues to fire, even though

the

bpf filter should ignore that host entirely.

Thank you

On Thu, Jul 3, 2014 at 1:26 PM, Robert Millott
<robm () millottandassociates com [9]> wrote:


unfortunately, my snort install is on a non-internet connected
network so I cant provide the .conf file.

my command to start snort is:

/usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path
/etc/snort/ --nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq
--daq-mode passive -i enps50f0 -F /etc/snort/bpf.filter -D

snort version is 2.9.6 GRE (Build 47)
host OS is 3.14.4 gentoo

Thanx for the help

On Thu, Jul 3, 2014 at 1:19 PM, Nicholas Mavis (nmavis)
<nmavis () cisco com [8]> wrote:


Robert,

Can you provide the following:

* Copy of your snort.conf
* The syntax in which you are starting Snort
* What version of Snort are you using?

-Nick

From: Robert Millott <robm () millottandassociates com [4]>
Date: Thursday, July 3, 2014 at 1:16 PM
To: nmavis <nmavis () cisco com [5]>, snort-users
<snort-users () lists sourceforge net [6]>
Subject: Re: [Snort-users] Snort BPF.filter doesnt work

Nick
  Thanx for the suggestion. Unfortunately, same results.  The
startup screen shows it reads the file, but the alert keeps
showing up in my logs.

On Thu, Jul 3, 2014 at 1:10 PM, Nicholas Mavis (nmavis)
<nmavis () cisco com [7]> wrote:


Robert,

Try the following without any additions:

not host 192.168.1.1

-Nick

From: Robert Millott <robm () millottandassociates com [1]>
Date: Thursday, July 3, 2014 at 12:14 PM
To: "snort-users () lists sourceforge net [2]"
<snort-users () lists sourceforge net [3]>
Subject: [Snort-users] Snort BPF.filter doesnt work

I am trying to filter some data.  I created a rule in my
misc.rules that I know will always fire, ie

alert tcp any any -> 192.168.1.1 80 (msg:"my test rule"; sid:
60999; rev:1)

That rule fires constantly whenever I go to the website at
192.168.1.1

I then create a /etc/snort/bpf.filter that contains one line

!(host 192.168.1.1)

I then edited snort.conf and uncomment the bfp.filter line so it
reads

config bpf_file: /etc/snort/bpf.filter

When I run snort and watch /var/log/messages, the above alert
continues to fire.

I also tried using it with the command line option of -F
/etc/snort/bpf.filter. This didnt work either.

I also tried bpf.filter to read
(not host 192.168.1.1)
that didnt work either.

When I start snort, I see the line that reads

Snort BPF Option:
!(host 192.168.1.1)

and yet I still see my above test alert message in my
/var/log/messages.

Anyone know why the bpf.filter isnt filtering the data?

--
Robert Millott
President, Millott and Associates
(443) 255-3588


Just pass it direct:

/usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path
/etc/snort/
--nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq --daq-mode
passive
-i enps50f0 not host 192.168.1.1

James


------------------------------------------------------------------------------
Open source business process management suite built on Java and
Eclipse
Turn processes into business applications with Bonita BPM Community
Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--
Robert Millott
President, Millott and Associates
(443) 255-3588


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community
Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







--
Robert Millott
President, Millott and Associates
(443) 255-3588







--
Robert Millott
President, Millott and Associates
(443) 255-3588


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: