Re: Snort BPF.filter doesn't work

[Geoffrey Serrao <gserrao () sourcefire com>]

Hi Robert,

Is the traffic vlan tagged?

http://www.christian-rossow.de/articles/tcpdump_filter_mixed_tagged_and_untagged_VLAN_traffic.php


On Tue, Jul 8, 2014 at 2:38 PM, Robert Millott <
robm () millottandassociates com> wrote:

> Anyone else have any experience working with BPF Filters?I have followed
> all the directions I have been able to find and set up my filters, but a
> test rule I created continues to fire, even though the bpf filter should
> ignore that host entirely.
>
> Thank you
>
>
> On Thu, Jul 3, 2014 at 1:26 PM, Robert Millott <
> robm () millottandassociates com> wrote:
>
> > unfortunately, my snort install is on a non-internet connected network so
> > I can't provide the .conf file.
> >
> > my command to start snort is:
> >
> > /usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path /etc/snort/
> > --nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq --daq-mode passive -i
> > enps50f0 -F /etc/snort/bpf.filter -D
> >
> > snort version is 2.9.6 GRE (Build 47)
> > host OS is 3.14.4 gentoo
> >
> > Thanx for the help
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Jul 3, 2014 at 1:19 PM, Nicholas Mavis (nmavis) <nmavis () cisco com
> > > wrote:
> >
> > >  Robert,
> > >
> > >  Can you provide the following:
> > >
> > >    1. Copy of your snort.conf
> > >    2. The syntax in which you are starting Snort
> > >    3. What version of Snort are you using?
> > >
> > > -Nick
> > >
> > >   From: Robert Millott <robm () millottandassociates com>
> > > Date: Thursday, July 3, 2014 at 1:16 PM
> > > To: nmavis <nmavis () cisco com>, snort-users <
> > > snort-users () lists sourceforge net>
> > > Subject: Re: [Snort-users] Snort BPF.filter doesn't work
> > >
> > >   Nick
> > >   Thanx for the suggestion. Unfortunately, same results.  The startup
> > > screen shows it reads the file, but the alert keeps showing up in my logs.
> > >
> > >
> > >
> > >
> > > On Thu, Jul 3, 2014 at 1:10 PM, Nicholas Mavis (nmavis) <
> > > nmavis () cisco com> wrote:
> > >
> > > >  Robert,
> > > >
> > > >  Try the following without any additions:
> > > >
> > > >  not host 192.168.1.1
> > > >
> > > >  -Nick
> > > >
> > > >   From: Robert Millott <robm () millottandassociates com>
> > > > Date: Thursday, July 3, 2014 at 12:14 PM
> > > > To: "snort-users () lists sourceforge net" <
> > > > snort-users () lists sourceforge net>
> > > > Subject: [Snort-users] Snort BPF.filter doesn't work
> > > >
> > > >   I am trying to filter some data.  I created a rule in my misc.rules
> > > > that I know will always fire, ie
> > > >
> > > >  alert tcp any any -> 192.168.1.1 80 (msg:"my test rule"; sid: 60999;
> > > > rev:1)
> > > >
> > > >  That rule fires constantly whenever I go to the website at 192.168.1.1
> > > >
> > > >  I then create a /etc/snort/bpf.filter that contains one line
> > > >
> > > >  !(host 192.168.1.1)
> > > >
> > > >  I then edited snort.conf and uncomment the bfp.filter line so it reads
> > > >
> > > >  config bpf_file: /etc/snort/bpf.filter
> > > >
> > > >  When I run snort and watch /var/log/messages, the above alert
> > > > continues to fire.
> > > >
> > > >  I also tried using it with the command line option of -F
> > > > /etc/snort/bpf.filter. This didn't work either.
> > > >
> > > >  I also tried bpf.filter to read
> > > > (not host 192.168.1.1)
> > > > that didn't work either.
> > > >
> > > >  When I start snort, I see the line that reads
> > > >
> > > >  Snort BPF Option:
> > > > !(host 192.168.1.1)
> > > >
> > > >  and yet I still see my above test alert message in my
> > > > /var/log/messages.
> > > >
> > > >  Anyone know why the bpf.filter isn't filtering the data?
> > > >
> > > >
> > > >
> > > >  --
> > > > Robert Millott
> > > > President, Millott and Associates
> > > > (443) 255-3588
> > >
> > >
> > >
> > >  --
> > > Robert Millott
> > > President, Millott and Associates
> > > (443) 255-3588
> >
> >
> >
> > --
> > Robert Millott
> > President, Millott and Associates
> > (443) 255-3588
>
>
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!