Re: BPF problem

[Mike Patterson <mike.patterson () uwaterloo ca>]

On Jul 11, 2014, at 1:43 PM, James Lay <jlay () slave-tothe-box net> wrote:

> On 2014-07-11 11:34, Mike Patterson wrote:
> > Following up to myself: I’ve tried various permutations of my BPF
> > filter to no avail. I tried Snort versions 2.9.5.3 (which is what’s 
> > on
> > my old sensor), 2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading
> > my BPF filter, and always, it’s including alerts for IPs and networks
> > that are in the filter.
> >
> > My current filter is of the form:
> >
> > not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)
> >
> > I tried a very simple filter - not net 10.0.0.0/24 - and no joy 
> > either.
> >
> > I know that the sensor is not simply looking inside GRE tunnels, like
> > Robert was seeing - verified with tcpdump and one of our network
> > engineers.
> >
> > The only substantial difference between these platforms is the one
> > with functional BPF filters is built on an Endace DAG, and the other
> > is built on an Intel X520 with PF_RING+DNA.
> >
> > I verified that tcpdump (built against libpcap that comes with
> > PF_RING) does accept my filter. I verified that Snort is using that
> > same libpcap.
> >
> > I’m not sure what else to try here. Any suggestions? I can tell
> > barnyard2 to ignore alerts for the IPs I’d like to ignore, but it
> > would be nice to save Snort the overhead in processing them (and my
> > disk space).
> >
> > Mike
>
> Please copy and paste an alert example.

Sure. u2spewfoo output, I anonymised our IP and the NICK used, but everything else is the same. Standard justin.tv 
connection here.

In this case, my bpf is configured to exclude the net 10.0.0.0/23.

(Event)
        sensor id: 0    event id: 65668 event second: 1405100755        event microsecond: 418103
        sig id: 2000345 gen id: 1       revision: 15     classification: 21
        priority: 1     ip source: 10.0.1.1 ip destination: 199.9.252.120
        src port: 65244 dest port: 443  protocol: 6     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 65668 event second: 1405100755
        packet second: 1405100755       packet microsecond: 418103
        linktype: 1     packet_length: 72
[    0] E4 C7 22 79 C5 61 64 00 F1 EE 70 C0 08 00 45 00  .."y.ad...p...E.
[   16] 00 3A 2C F0 40 00 7B 06 0A EA 81 61 83 00 C7 09  .:,.@.{....a....
[   32] FC 78 FE DC 01 BB BB 5A 6D 63 5B A1 81 C1 50 18  .x.....Zmc[...P.
[   48] 40 B0 4C 9F 00 00 4E 49 43 4B 20 73 65 72 65 64  @.L...NICK xxxxx
[   64] 68 72 61 73 0D 0A 00 00                          xxxx....



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!