[Snort-users] Snort 1.8.7b6 not listen to BPF filters

Erek Adams erek at ...577...
Fri Jul 19 12:35:02 EDT 2002


On Fri, 19 Jul 2002, Michael Scheidell wrote:

> > > /usr/local/bin/snort -doDI -m 022 -z \
> > > -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
> > > not src host 10.1.1.10

Ok, assuming this is your command line...

> > > does not record tcp attacks.
> >
> > Ok, correct me if I'm wrong:  But that's what you want, right?
> > If that's the case then it the failure must be in the -F option.
>
> source of attack was 216.241.67.74.  Destination was 10.1.1.10
>
> If I do this from .74:
>
> lynx http://scanner.secnap.net/scripts/cmd-exe?dir+c../../c
>
> WITHOUT BPF filter, it loggs attack.
>
> If I do it WITH bpf filter, it ignores it (and 100% of the TCP attacks
> worldwide)
>
> didn't used to do that, used to work
>
> bpf filter is not new!

Nope it's not.  :)  But there is some parser code which is....  On the whim of
an old man, try enclosing the filter in single quotes ( ' filter foo ' ) and
see if that changes anything.  It almost seems as if snort is reading your
filter as 'not src' instead of 'not src host foo'.

> snort fails if I have not src host on command line at end as well as -F
> option.
> tcpdump seems to work as expected:

Since the code for read_file (snort.c:2712) is identical to tcpdump's
read_file except for closing the bpf filter file, I don't think it's in there.

I'm starting to think it might be parsed odd without quotes.  When I use
quotes around mine, I have no issues.   :-/


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list