Snort mailing list archives
Re: BPF problem
From: Mike Patterson <mike.patterson () uwaterloo ca>
Date: Fri, 11 Jul 2014 18:44:51 +0000
On Jul 11, 2014, at 2:14 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2014-07-11 12:05, Mike Patterson wrote:On Jul 11, 2014, at 2:00 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-11 11:55, Mike Patterson wrote:On Jul 11, 2014, at 1:49 PM, waldo kitty <wkitty42 () windstream net> wrote:On 7/11/2014 1:34 PM, Mike Patterson wrote:Following up to myself: I’ve tried various permutations of my BPF filter to no avail. I tried Snort versions 2.9.5.3 (which is what’s on my old sensor), 2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading my BPF filter, and always, it’s including alerts for IPs and networks that are in the filter. My current filter is of the form: not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)this may not be related to your problem but i can't help seeing the double negatives in the above... are you wanting to include or exclude traffic to/from 10.0.0.0/24 and 172.16.12.1? if you want to exclude traffic from them, perhaps you mean to use not (net 1.2.3.4/8 or net 10.0.0.0/24 or 172.16.12.1)That’s actually what I’m using, I just can’t transcribe properly. MikeGive: not (net 1.2.3.4/8 or net 10.0.0.0/16 or 172.16.12.1)No joy. MikeThis worked for me ok: sudo snort -i eth0 -c snort/snort.conf not net 10.0.0.0/8 You can also test just BPF ability with: sudo snort -i eth0 not net 10.0.0.0/8
Sadly, not for me: sudo /usr/local/bin/snort -i dna1@0 --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive not net (my entire netblock) provides a firehose. But: Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! Snort BPF option: not net (my netblock) pfring_dna DAQ configured to passive. Acquiring network traffic from "dna1@0". --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.6.1 GRE (Build 56) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 I know that’s an older pcap version, but it’s what ships with PF_RING. Mike ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- BPF problem Mike Patterson (Jul 10)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem James Lay (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem waldo kitty (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem James Lay (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem James Lay (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)
- Re: BPF problem elof (Jul 16)
- Re: BPF problem Mike Patterson (Jul 16)
- Re: BPF problem Mike Patterson (Jul 16)
- Re: BPF problem James Lay (Jul 11)
- Re: BPF problem Mike Patterson (Jul 11)