[Snort-users] Snort 1.8.7b6 not listen to BPF filters

Michael Scheidell scheidell at ...5171...
Fri Jul 19 12:21:47 EDT 2002


> Ok, had to try.  :)
> 
> > /usr/local/bin/snort -doDI -m 022 -z \
> > -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
> > not src host 10.1.1.10
> >
> >
> > does not record tcp attacks.
> 
> Ok, correct me if I'm wrong:  But that's what you want, right?
> If that's the case then it the failure must be in the -F option.

source of attack was 216.241.67.74.  Destination was 10.1.1.10

If I do this from .74:

lynx http://scanner.secnap.net/scripts/cmd-exe?dir+c../../c

WITHOUT BPF filter, it loggs attack.

If I do it WITH bpf filter, it ignores it (and 100% of the TCP attacks
worldwide)

didn't used to do that, used to work

bpf filter is not new!

> 
> Ping thought, but does TCPdump show the same behavior when passing it a 'file'
> of filters?

snort fails if I have not src host on command line at end as well as -F
option.
tcpdump seems to work as expected:

tcpdump -w dump.tcp -F /etc/snort/snort.bpf
tcpdump: listening on rl0

tcpdump -Xnr dump.tcp

15:15:20.302802 216.241.67.74.1158 > 10.1.1.10.80: P 0:575(575) ack 1 win
17376 <
nop,nop,timestamp 1545145 415943445> (DF)
0x0000   4500 0273 b808 4000 3306 5745 cf12 5c1a        E..s.. at ...6381...\.
0x0010   0a01 010a 0486 0050 3864 4e0f 0f38 d0de        .......P8dN..8..
0x0020   8018 43e0 1b89 0000 0101 080a 0017 93b9        ..C.............
0x0030   18ca cb15 4745 5420 2f73 6372 6970 7473        ....GET./scripts
0x0040   2f63 6d64 2d65 7865 3f64 6972 2b63 2e2e        /cmd-exe?dir+c..
0x0050   2f2e                                           /.



SO.... tcpdump is fine.


> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> 

-- 
Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Positions available see http://www.secnap.net/employment/




More information about the Snort-users mailing list