[Snort-users] Correct bpf_file syntax?

Richard Bejtlich taosecurity at ...11827...
Wed Feb 22 17:53:17 EST 2012


Hello,

Have you tried running tcpdump with the -d flag and your various BPFs to
see how they are rendered in code?

Richard

On Tuesday, February 21, 2012, Miguel Alvarez wrote:

> I am receiving many alerts that are a FP in my environment and I'm
> trying to determine the correct syntax for my bpf_file but nothing
> that I've tried seems to be working.  This is the alert:
>
> 02/21-22:55:39.442989  [**] [3:13667:11] BAD-TRAFFIC dns cache
> poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
> {UDP} 10.1.6.1:53 -> 10.21.2.23:45498
> 02/21-22:55:42.154344  [**] [3:13667:11] BAD-TRAFFIC dns cache
> poisoning attempt [**] [Classification: Misc Attack] [Priority: 2]
> {UDP} 10.1.6.1:53 -> 10.21.2.21:46966
>
> I've tried the following one by one (that is, not all at the same
> time) but none seem to work:
>
> not src host 10.1.6.1
> !(src host 10.1.6.1)
> not (src host 10.1.6.1 and dst net 10.21.2.0/24)
> not (udp and src host 10.1.6.1 and src port 53 and dst net 10.21.2.0/24)
>
> It makes me realise that I'm not very proficient with this so can
> someone please tell me what would be the correct syntax?  And if there
> is an online reference for this, I would love to know what it might
> be.
>
> Thank you
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net <javascript:;>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120222/6246f352/attachment.html>


More information about the Snort-users mailing list