[Snort-users] Snort 1.8.7b6 not listen to BPF filters
erek at ...577...
Fri Jul 19 12:35:02 EDT 2002
On Fri, 19 Jul 2002, Michael Scheidell wrote:
> > > /usr/local/bin/snort -doDI -m 022 -z \
> > > -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort \
> > > not src host 10.1.1.10
Ok, assuming this is your command line...
> > > does not record tcp attacks.
> > Ok, correct me if I'm wrong: But that's what you want, right?
> > If that's the case then it the failure must be in the -F option.
> source of attack was 188.8.131.52. Destination was 10.1.1.10
> If I do this from .74:
> lynx http://scanner.secnap.net/scripts/cmd-exe?dir+c../../c
> WITHOUT BPF filter, it loggs attack.
> If I do it WITH bpf filter, it ignores it (and 100% of the TCP attacks
> didn't used to do that, used to work
> bpf filter is not new!
Nope it's not. :) But there is some parser code which is.... On the whim of
an old man, try enclosing the filter in single quotes ( ' filter foo ' ) and
see if that changes anything. It almost seems as if snort is reading your
filter as 'not src' instead of 'not src host foo'.
> snort fails if I have not src host on command line at end as well as -F
> tcpdump seems to work as expected:
Since the code for read_file (snort.c:2712) is identical to tcpdump's
read_file except for closing the bpf filter file, I don't think it's in there.
I'm starting to think it might be parsed odd without quotes. When I use
quotes around mine, I have no issues. :-/
More information about the Snort-users