[Snort-users] Re : Re: What is the correct syntax for bpf_file?

Miguel Alvarez miguellvrz9 at ...11827...
Tue Jan 29 16:05:54 EST 2013


snort-2.9.4 with libpcap 1.3.0.  And you're right, running 'tcpdump -i
<iface> -vvnn src host 10.10.1.1' doesn't return anything but the alerts
keep getting logged.  Why is that?!

Cheers,

MA


On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <rmkml at ...1855...> wrote:

> Thx, Im curious what is your snort version please ?
> Maybe you have vlan ?
> For example can you write network trafic with tcpdump like and replay file
> on tcpdump + snort with bpf ?
> Do you have same pb if you add bpf instructions on snort cmd line ?
> Regards
> Rmkml
>
>  ------------------------------
> * From: * Miguel Alvarez <miguellvrz9 at ...11827...>;
> * To: * rmkml <rmkml at ...1855...>;
> * Cc: * Snort Users <snort-users at lists.sourceforge.net>;
> * Subject: * Re: [Snort-users] What is the correct syntax for bpf_file?
> * Sent: * Tue, Jan 29, 2013 4:59:20 PM
>
>   Thanks for the reply.  I just have one line just to test:
>
> not src host (10.10.1.1)
>
> But it's still triggering alerts after restarting snort.
>
> 01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound to
> mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority:
> 2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306
>
> Any ideas?  I am very familiar with bpf syntax and use it on the command
> line with tcpdump all the time so this is very confusing!
>
> Thank you,
>
> MA
>
>
> On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml at ...1855...> wrote:
>
>> Hi Miguel,
>> Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'
>> Regards
>> Rmkml
>>
>>
>>
>>
>> On Tue, 29 Jan 2013, Miguel Alvarez wrote:
>>
>>  I have a list of my nessus scanners in my /etc/snort/bpf_file but
>>> they're still triggering alerts.  I've got them listed in the following
>>> syntax for example:
>>> not (src host 10.10.1.1) &&
>>> not (src host 10.10.1.2) &&
>>> not (src host 10.10.1.3)
>>>
>>> And my snort process is pointing to it:
>>>
>>> /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l
>>> /var/log/snort/eth6 -F /etc/snort/bpf_file
>>>
>>> And it shows up in the syslog when snorts starts:
>>>
>>> Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:
>>> /etc/snort/bpf_file
>>> Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host
>>> 10.10.1.1) &&
>>> not (src host 10.10.1.2) &&
>>> not (src host 10.10.1.3)
>>>
>>> But the alerts keep streaming in (not just this alert):
>>>
>>> 01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan
>>> OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
>>> {TCP} 10.10.1.1:49870 -> 10.10.1.43:22
>>>
>>> This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?
>>>
>>> Thank you!
>>>
>>> MA
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/0b4e538c/attachment.html>


More information about the Snort-users mailing list