[Snort-users] Correct bpf_file syntax?

Miguel Alvarez miguellvrz9 at ...11827...
Tue Feb 21 18:27:01 EST 2012


I am receiving many alerts that are a FP in my environment and I'm
trying to determine the correct syntax for my bpf_file but nothing
that I've tried seems to be working.  This is the alert:

02/21-22:55:39.442989  [**] [3:13667:11] BAD-TRAFFIC dns cache
poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
{UDP} 10.1.6.1:53 -> 10.21.2.23:45498
02/21-22:55:42.154344  [**] [3:13667:11] BAD-TRAFFIC dns cache
poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
{UDP} 10.1.6.1:53 -> 10.21.2.21:46966

I've tried the following one by one (that is, not all at the same
time) but none seem to work:

not src host 10.1.6.1
!(src host 10.1.6.1)
not (src host 10.1.6.1 and dst net 10.21.2.0/24)
not (udp and src host 10.1.6.1 and src port 53 and dst net 10.21.2.0/24)

It makes me realise that I'm not very proficient with this so can
someone please tell me what would be the correct syntax?  And if there
is an online reference for this, I would love to know what it might
be.

Thank you




More information about the Snort-users mailing list