Snort mailing list archives
Re: Snort BPF.filter doesn't work
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 10 Jul 2014 16:37:19 +0000
sure.. my file, with some sed magic, looks like this: not ( ip host (161.217.188.26 or 192.168.188.27 or 192.168.188.28 or 192.168.188.29 or 192.168.188.60 or 192.168.188.61 or 192.168.188.101 or 192.168.188.102 or 192.168.188.103 or 192.168.188.104 or 192.168.188.107 or 192.168.188.108 or 192.168.188.109 or 192.168.188.112 ) and ( src portrange 1025-65500 and dst portrange 1025-65500 ) ) and not ( ip host 192.168.188.10 and ip host 192.168.52.125 ) and not ( ip host 192.168.188.11 and ip host 192.168.52.129 ) and not ( ip host 192.168.40.21 or ip host 192.168.42.36 or ip host 192.168.48.3 or ip host 192.168.140.3 or ip host 192.168.145.14 or ip host 192.168.160.2 or ip host 192.168.189.160 or ip host 192.168.189.161 or ip host 192.168.52.53 or ip host 192.168.52.55 ) and not ( tcp and ( ip src 192.168.52.129 or ip src 192.168.188.10 or ip src 192.168.188.11 ) and ip dst 192.168 ) and not ( tcp and ( ip dst 192.168.52.129 or ip dst 192.168.188.10 or ip dst 192.168.188.11 ) and ip src 192.168 ) and not ( ( ip src 192.168 and ( ip dst 192.168.189.17 or ip dst 192.168.189.18 ) ) or ( ip dst 192.168 and ( ip src 192.168.189.17 or ip src 192.168.189.18 ) ) ) and not ip host 192.168.52.60 and not ( ip proto 47 and host 192.168.52.1 and host 192.168.79.71 ) and not ( ip dst 192.168.59.168 and tcp port 8014 ) and not ( tcp and src 192.168 and dst 192.168 and port 10566 ) and not tcp port 902 and not tcp port 903 and not ( tcp dst port 10514 and ip host 192.168.189.102 ) and not ip host 192.168.189.137 and not ip host 192.168.188.30 and not net 192.168.62.0/24 and not ip host 10.106.140.18 And if you watch the traffic with tcpdump with the filter in there, and then try and hit the webpage, do you see the traffic? PF_Ring turned out to be pretty easy. We just did it on Cent 6.5 and the process was pretty quick. We install the rpm, configure it and turn on the drive, then grab the source, recompile libpcap then recompile the tools with the new libpcap, then tell snort to change it's daq, run a few instances and away it goes. On Thu, Jul 10, 2014 at 4:25 PM, Robert Millott < robm () millottandassociates com> wrote:
I Understand about the business IP, can you clean up a single line and modify the addresses? I just want to see if there is something wrong with my syntax. My system is also off the internet, so I understand that problem. My bpf.filter has a single line in it not host 192.168.1.1 so I just wanted to see if yours had any different syntax I may be missing out on. The way I tested it was I added a snort rule to my misc.rules. The rule is alert tcp any any -> 192.168.1.1 80 (msg:"My Test Rule"; sid: 99999; rev: 1) This alert fires constantly whenever I hit the web page on 192.168.1.1. I then fired up snort, adding a -F /etc/snort/bpf.filter to the command line, and looking for alerts. I continue to get alerts on my test rule, which tells me snort isn't ignoring all my traffic to that host. Suggestions? Yea, I 've seen the pfring stuff, and debated switcching to it, but it looks like allot of effort to set up, and I was originally hoping a real simple bpf filter would do what I needed. Thanx On Thu, Jul 10, 2014 at 11:56 AM, Jeremy Hoel <jthoel () gmail com> wrote:Well mine has a lot of our business IPs in it, so I can't share it. But you say you are seeing traffic.. what kind? can you post a pcap somewhere? There's got to be something else that is being missed. When you put the filter in with a tcpdump command do you see the traffic? Also, if you want to run high speed.. check out pf_ring, and then running multiple instances of snort against the pf_ring interface. http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/ On Thu, Jul 10, 2014 at 3:42 PM, Robert Millott < robm () millottandassociates com> wrote:Jeremy Thanx for the reply. I stop snort, then started it again. during all that initial stuff, I did find the line: Reading filter from bpf file: /etc/snort/bpf.filter Snort BPF Options: not host 192.168.1.1 Loading dynamic engine ... So snort is seeing it (or at least it appears to) and yet my alerts still include traffic to host 192.168.1.1 What does your bpf.txt look like? On Thu, Jul 10, 2014 at 11:28 AM, Jeremy Hoel <jthoel () gmail com> wrote:I use BPF filters with no problems. And the traffic from that filter gets ignored. During snort's startup in syslog it records if it's using a BPF or not (at least it does for us doing BPF via file).. maybe go back through and look at your syslog and make sure it's seeing the BPF. Jul 8 04:00:34 mibst001 snort[25704]: Reading filter from bpf file: /etc/snort/bpf.txt we define that in the /etc/sysconfig/snort file BPFFILE=/etc/snort/bpf.txt and the command line option for that is -F <path_to_file> try that and see if it shows anything in your syslog On Thu, Jul 10, 2014 at 2:58 PM, Robert Millott < robm () millottandassociates com> wrote:All Thanx for the replies, but still nothing seems to work. I tried just adding the "not host 192.168.1.1" to the end of my command line, but I keep getting alerts. I tried changing my bpf.filter file to "not((host 192.168.1.1) or (vlan and host 192.168.1.1))", and I still get the alerts. Has any successfully used bpf filters? What I am trying to accomplish is that my snort keeps dying, I think because it is being hit with to much traffic. Some of my links are getting peaks of 500-600Mps. I know snort can only handle 200-300Mps typically, so I want to filter out some of the traffic. My thought was to use bpf filters to ignore certain segments of traffic (maybe all port 80 traffic), then run a second instance of snort to handle just that port 80 traffic and ignore all the rest. If bpf filters is not an option, anyone else got suggestions on how to keep snort from dying due to too much traffic? On Tue, Jul 8, 2014 at 4:16 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-08 12:38, Robert Millott wrote:Anyone else have any experience working with BPF Filters?I have followed all the directions I have been able to find and set up my filters, but a test rule I created continues to fire, even thoughthebpf filter should ignore that host entirely. Thank you On Thu, Jul 3, 2014 at 1:26 PM, Robert Millott <robm () millottandassociates com [9]> wrote:unfortunately, my snort install is on a non-internet connected network so I cant provide the .conf file. my command to start snort is: /usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path /etc/snort/ --nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq --daq-mode passive -i enps50f0 -F /etc/snort/bpf.filter -D snort version is 2.9.6 GRE (Build 47) host OS is 3.14.4 gentoo Thanx for the help On Thu, Jul 3, 2014 at 1:19 PM, Nicholas Mavis (nmavis) <nmavis () cisco com [8]> wrote:Robert, Can you provide the following: * Copy of your snort.conf * The syntax in which you are starting Snort * What version of Snort are you using? -Nick From: Robert Millott <robm () millottandassociates com [4]> Date: Thursday, July 3, 2014 at 1:16 PM To: nmavis <nmavis () cisco com [5]>, snort-users <snort-users () lists sourceforge net [6]> Subject: Re: [Snort-users] Snort BPF.filter doesnt work Nick Thanx for the suggestion. Unfortunately, same results. The startup screen shows it reads the file, but the alert keeps showing up in my logs. On Thu, Jul 3, 2014 at 1:10 PM, Nicholas Mavis (nmavis) <nmavis () cisco com [7]> wrote:Robert, Try the following without any additions: not host 192.168.1.1 -Nick From: Robert Millott <robm () millottandassociates com [1]> Date: Thursday, July 3, 2014 at 12:14 PM To: "snort-users () lists sourceforge net [2]" <snort-users () lists sourceforge net [3]> Subject: [Snort-users] Snort BPF.filter doesnt work I am trying to filter some data. I created a rule in my misc.rules that I know will always fire, ie alert tcp any any -> 192.168.1.1 80 (msg:"my test rule"; sid: 60999; rev:1) That rule fires constantly whenever I go to the website at 192.168.1.1 I then create a /etc/snort/bpf.filter that contains one line !(host 192.168.1.1) I then edited snort.conf and uncomment the bfp.filter line so it reads config bpf_file: /etc/snort/bpf.filter When I run snort and watch /var/log/messages, the above alert continues to fire. I also tried using it with the command line option of -F /etc/snort/bpf.filter. This didnt work either. I also tried bpf.filter to read (not host 192.168.1.1) that didnt work either. When I start snort, I see the line that reads Snort BPF Option: !(host 192.168.1.1) and yet I still see my above test alert message in my /var/log/messages. Anyone know why the bpf.filter isnt filtering the data? -- Robert Millott President, Millott and Associates (443) 255-3588Just pass it direct: /usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path /etc/snort/ --nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq --daq-mode passive -i enps50f0 not host 192.168.1.1 James ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Robert Millott President, Millott and Associates (443) 255-3588 ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Robert Millott President, Millott and Associates (443) 255-3588-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort BPF.filter doesn't work, (continued)
- Re: Snort BPF.filter doesn't work Nicholas Mavis (nmavis) (Jul 03)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 03)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 08)
- Re: Snort BPF.filter doesn't work Geoffrey Serrao (Jul 08)
- Re: Snort BPF.filter doesn't work James Lay (Jul 08)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work James Lay (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work waldo kitty (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 11)
- Re: Snort BPF.filter doesn't work waldo kitty (Jul 11)