Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort BPF.filter doesn't work

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 08 Jul 2014 14:16:52 -0600
On 2014-07-08 12:38, Robert Millott wrote:

Anyone else have any experience working with BPF Filters?I have
followed all the directions I have been able to find and set up my
filters, but a test rule I created continues to fire, even though the
bpf filter should ignore that host entirely.

Thank you

On Thu, Jul 3, 2014 at 1:26 PM, Robert Millott
<robm () millottandassociates com [9]> wrote:


unfortunately, my snort install is on a non-internet connected
network so I cant provide the .conf file.

my command to start snort is:

/usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path
/etc/snort/ --nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq
--daq-mode passive -i enps50f0 -F /etc/snort/bpf.filter -D

snort version is 2.9.6 GRE (Build 47)
host OS is 3.14.4 gentoo 

Thanx for the help

On Thu, Jul 3, 2014 at 1:19 PM, Nicholas Mavis (nmavis)
<nmavis () cisco com [8]> wrote:


Robert,

Can you provide the following:

* Copy of your snort.conf
* The syntax in which you are starting Snort
* What version of Snort are you using?

-Nick

From: Robert Millott <robm () millottandassociates com [4]>
Date: Thursday, July 3, 2014 at 1:16 PM
To: nmavis <nmavis () cisco com [5]>, snort-users
<snort-users () lists sourceforge net [6]>
Subject: Re: [Snort-users] Snort BPF.filter doesnt work

Nick
  Thanx for the suggestion. Unfortunately, same results.  The
startup screen shows it reads the file, but the alert keeps
showing up in my logs.

On Thu, Jul 3, 2014 at 1:10 PM, Nicholas Mavis (nmavis)
<nmavis () cisco com [7]> wrote:


Robert,

Try the following without any additions:

not host 192.168.1.1

-Nick

From: Robert Millott <robm () millottandassociates com [1]>
Date: Thursday, July 3, 2014 at 12:14 PM
To: "snort-users () lists sourceforge net [2]"
<snort-users () lists sourceforge net [3]>
Subject: [Snort-users] Snort BPF.filter doesnt work

I am trying to filter some data.  I created a rule in my
misc.rules that I know will always fire, ie

alert tcp any any -> 192.168.1.1 80 (msg:"my test rule"; sid:
60999; rev:1)

That rule fires constantly whenever I go to the website at
192.168.1.1

I then create a /etc/snort/bpf.filter that contains one line

!(host 192.168.1.1)

I then edited snort.conf and uncomment the bfp.filter line so it
reads

config bpf_file: /etc/snort/bpf.filter

When I run snort and watch /var/log/messages, the above alert
continues to fire.

I also tried using it with the command line option of -F
/etc/snort/bpf.filter. This didnt work either.

I also tried bpf.filter to read
(not host 192.168.1.1)
that didnt work either.

When I start snort, I see the line that reads 

Snort BPF Option:
!(host 192.168.1.1)

and yet I still see my above test alert message in my
/var/log/messages.  

Anyone know why the bpf.filter isnt filtering the data?

--
Robert Millott
President, Millott and Associates
(443) 255-3588


Just pass it direct:

/usr/bin/snort -c /etc/snort/snort1.conf -G 0x11 --pid-path /etc/snort/ 
--nolock-pidfile --daq pcap --dap-dir /usr/lib64/daq --daq-mode passive 
-i enps50f0 not host 192.168.1.1

James

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: