[Snort-users] What is the correct syntax for bpf_file?

Miguel Alvarez miguellvrz9 at ...11827...
Tue Jan 29 11:59:20 EST 2013


Thanks for the reply.  I just have one line just to test:

not src host (10.10.1.1)

But it's still triggering alerts after restarting snort.

01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound to
mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority:
2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306

Any ideas?  I am very familiar with bpf syntax and use it on the command
line with tcpdump all the time so this is very confusing!

Thank you,

MA


On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml at ...1855...> wrote:

> Hi Miguel,
> Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'
> Regards
> Rmkml
>
>
>
>
> On Tue, 29 Jan 2013, Miguel Alvarez wrote:
>
>  I have a list of my nessus scanners in my /etc/snort/bpf_file but they're
>> still triggering alerts.  I've got them listed in the following syntax for
>> example:
>> not (src host 10.10.1.1) &&
>> not (src host 10.10.1.2) &&
>> not (src host 10.10.1.3)
>>
>> And my snort process is pointing to it:
>>
>> /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l
>> /var/log/snort/eth6 -F /etc/snort/bpf_file
>>
>> And it shows up in the syslog when snorts starts:
>>
>> Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:
>> /etc/snort/bpf_file
>> Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host
>> 10.10.1.1) &&
>> not (src host 10.10.1.2) &&
>> not (src host 10.10.1.3)
>>
>> But the alerts keep streaming in (not just this alert):
>>
>> 01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan
>> OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
>> {TCP} 10.10.1.1:49870 -> 10.10.1.43:22
>>
>> This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?
>>
>> Thank you!
>>
>> MA
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/d8c49f61/attachment.html>


More information about the Snort-users mailing list