Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BPF problem

From: Mike Patterson <mike.patterson () uwaterloo ca>
Date: Fri, 11 Jul 2014 18:44:51 +0000
On Jul 11, 2014, at 2:14 PM, James Lay <jlay () slave-tothe-box net> wrote:


On 2014-07-11 12:05, Mike Patterson wrote:

On Jul 11, 2014, at 2:00 PM, James Lay <jlay () slave-tothe-box net> 
wrote:


On 2014-07-11 11:55, Mike Patterson wrote:

On Jul 11, 2014, at 1:49 PM, waldo kitty <wkitty42 () windstream net>
wrote:


On 7/11/2014 1:34 PM, Mike Patterson wrote:

Following up to myself: I’ve tried various permutations of my BPF
filter to
no avail. I tried Snort versions 2.9.5.3 (which is what’s on my 
old
sensor),
2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading my BPF
filter, and
always, it’s including alerts for IPs and networks that are in 
the
filter.

My current filter is of the form:

not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)


this may not be related to your problem but i can't help seeing 
the
double
negatives in the above... are you wanting to include or exclude
traffic to/from
10.0.0.0/24 and 172.16.12.1?

if you want to exclude traffic from them, perhaps you mean to use

not (net 1.2.3.4/8 or net 10.0.0.0/24 or 172.16.12.1)


That’s actually what I’m using, I just can’t transcribe properly.

Mike


Give:

not (net 1.2.3.4/8 or net 10.0.0.0/16 or 172.16.12.1)


No joy.

Mike


This worked for me ok:

sudo snort -i eth0 -c snort/snort.conf not net 10.0.0.0/8

You can also test just BPF ability with:

sudo snort -i eth0 not net 10.0.0.0/8


Sadly, not for me:

sudo /usr/local/bin/snort -i dna1@0 --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive not net (my entire 
netblock)

provides a firehose. But:

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: not net (my netblock)
pfring_dna DAQ configured to passive.
Acquiring network traffic from "dna1@0".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.1 GRE (Build 56) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

I know that’s an older pcap version, but it’s what ships with PF_RING.

Mike


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: