Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BPF problem

From: elof () sentor se
Date: Wed, 16 Jul 2014 16:42:31 +0200 (CEST)

Hi Mike!

Jumping in here even though I haven't read the full thread.
Is some of the sniffed traffic VLAN-tagged and some not? (This is a common and painful problem with SPAN on e.g. HP procurve switches.)
Perhaps you are filtering out all plain (untagged) traffic for net 10.0.0.0/23, while tagged packets aren't filtered, and therefore processed by snort as usual? 


You can test this theory by running:
tcpdump -nl vlan and net 10.0.0.0/23 If you see traffic, you have 10.0.0.0/23-traffic that is tagged.
To remove it, remove the vlan-tag from the SPAN (best solution) or extend your bpf filter to also filter out tagged net 10.0.0.0/23: 
  not net 10.0.0.0/23 and not (vlan and not net 10.0.0.0/23)
(note that using bpf filters, and more so complex ones, will have negative performance impact) 

/Elof


On Fri, 11 Jul 2014, Mike Patterson wrote:


On Jul 11, 2014, at 2:14 PM, James Lay <jlay () slave-tothe-box net> wrote:


On 2014-07-11 12:05, Mike Patterson wrote:

On Jul 11, 2014, at 2:00 PM, James Lay <jlay () slave-tothe-box net>
wrote:


On 2014-07-11 11:55, Mike Patterson wrote:

On Jul 11, 2014, at 1:49 PM, waldo kitty <wkitty42 () windstream net>
wrote:


On 7/11/2014 1:34 PM, Mike Patterson wrote:

Following up to myself: I’ve tried various permutations of my BPF
filter to
no avail. I tried Snort versions 2.9.5.3 (which is what’s on my
old
sensor),
2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading my BPF
filter, and
always, it’s including alerts for IPs and networks that are in
the
filter.

My current filter is of the form:

not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)


this may not be related to your problem but i can't help seeing
the
double
negatives in the above... are you wanting to include or exclude
traffic to/from
10.0.0.0/24 and 172.16.12.1?

if you want to exclude traffic from them, perhaps you mean to use

not (net 1.2.3.4/8 or net 10.0.0.0/24 or 172.16.12.1)


That’s actually what I’m using, I just can’t transcribe properly.

Mike


Give:

not (net 1.2.3.4/8 or net 10.0.0.0/16 or 172.16.12.1)


No joy.

Mike


This worked for me ok:

sudo snort -i eth0 -c snort/snort.conf not net 10.0.0.0/8

You can also test just BPF ability with:

sudo snort -i eth0 not net 10.0.0.0/8


Sadly, not for me:

sudo /usr/local/bin/snort -i dna1@0 --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive not net (my entire 
netblock)

provides a firehose. But:

Running in packet dump mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: not net (my netblock)
pfring_dna DAQ configured to passive.
Acquiring network traffic from "dna1@0".

       --== Initialization Complete ==--

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.6.1 GRE (Build 56)
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 7.8 2008-09-05
          Using ZLIB version: 1.2.3

I know that’s an older pcap version, but it’s what ships with PF_RING.

Mike


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: