Re: Snort BPF.filter doesn't work

[Robert Millott <robm () millottandassociates com>]

All
   Finally figured it out.  Thanx Jeremy for leading me in the right
direction. The traffic I was looking at was GRE encapsulated, so while the
bpf filters were ignoring packets based on src and dst ip address, the
snort rules were seeing the encapsulated data, which contained the
192.168.1.1 address snort was looking for , and that's why snort alerts
were firing despite my telling it to drop those addresses.

Thanx again everyone for the help.


On Thu, Jul 10, 2014 at 12:38 PM, James Lay <jlay () slave-tothe-box net>
wrote:

> On 2014-07-10 10:25, Robert Millott wrote:
> > I Understand about the business IP, can you clean up a single line
> > and
> > modify the addresses? I just want to see if there is something wrong
> > with my syntax.  My system is also off the internet, so I understand
> > that problem.  My bpf.filter has a single line in it
> >
> > not host 192.168.1.1
> >
> > so I just wanted to see if yours had any different syntax I may be
> > missing out on.
> >
> > The way I tested it was I added a snort rule to my misc.rules. The
> > rule is
> >
> > alert tcp any any -> 192.168.1.1 80 (msg:"My Test Rule"; sid: 99999;
> > rev: 1)
> >
> > This alert fires constantly whenever I hit the web page on
> > 192.168.1.1.  I then fired up snort, adding a -F
> > /etc/snort/bpf.filter to the command line, and looking for alerts.  I
> > continue to get alerts on my test rule, which tells me snort isnt
> > ignoring all my traffic to that host.
> >
> > Suggestions?
> >
> > Yea, I ve seen the pfring stuff, and debated switcching to it, but it
> > looks like allot of effort to set up, and I was originally hoping a
> > real simple bpf filter would do what I needed.
> >
> > Thanx
>
> Please copy and past an actual alert event text.
>
> James
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Robert Millott
President, Millott and Associates
(443) 255-3588

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!