[Snort-users] Re : Re: What is the correct syntax for bpf_file?

Todd Wease twease at ...1935...
Wed Jan 30 10:15:40 EST 2013


On Tue, Jan 29, 2013 at 4:05 PM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
>
> snort-2.9.4 with libpcap 1.3.0.  And you're right, running 'tcpdump -i <iface> -vvnn src host 10.10.1.1' doesn't return anything but the alerts keep getting logged.  Why is that?!
>
> Cheers,
>
> MA

Like Rm Kml hinted at, it may be there's vlan.  Try "vlan and src host
10.10.1.1" with tcpdump and see if you get anything.  If so, your bpf
should include vlan, e.g. "vlan and not src host 10.10.1.1".  If this
doesn't work, can you attach a short pcap of the traffic?

>
>
>
> On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <rmkml at ...1855...> wrote:
>>
>> Thx, Im curious what is your snort version please ?
>> Maybe you have vlan ?
>> For example can you write network trafic with tcpdump like and replay file on tcpdump + snort with bpf ?
>> Do you have same pb if you add bpf instructions on snort cmd line ?
>> Regards
>> Rmkml
>>
>>
>> ________________________________
>> From: Miguel Alvarez <miguellvrz9 at ...11827...>;
>> To: rmkml <rmkml at ...1855...>;
>> Cc: Snort Users <snort-users at lists.sourceforge.net>;
>> Subject: Re: [Snort-users] What is the correct syntax for bpf_file?
>> Sent: Tue, Jan 29, 2013 4:59:20 PM
>>
>> Thanks for the reply.  I just have one line just to test:
>>
>> not src host (10.10.1.1)
>>
>> But it's still triggering alerts after restarting snort.
>>
>> 01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306
>>
>> Any ideas?  I am very familiar with bpf syntax and use it on the command line with tcpdump all the time so this is very confusing!
>>
>> Thank you,
>>
>> MA
>>
>>
>> On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml at ...1855...> wrote:
>>>
>>> Hi Miguel,
>>> Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or 10.10.1.3)'
>>> Regards
>>> Rmkml
>>>
>>>
>>>
>>>
>>> On Tue, 29 Jan 2013, Miguel Alvarez wrote:
>>>
>>>> I have a list of my nessus scanners in my /etc/snort/bpf_file but they're still triggering alerts.  I've got them listed in the following syntax for example:
>>>> not (src host 10.10.1.1) &&
>>>> not (src host 10.10.1.2) &&
>>>> not (src host 10.10.1.3)
>>>>
>>>> And my snort process is pointing to it:
>>>>
>>>> /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth6 -F /etc/snort/bpf_file
>>>>
>>>> And it shows up in the syslog when snorts starts:
>>>>
>>>> Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file: /etc/snort/bpf_file
>>>> Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host 10.10.1.1) &&
>>>> not (src host 10.10.1.2) &&
>>>> not (src host 10.10.1.3)
>>>>
>>>> But the alerts keep streaming in (not just this alert):
>>>>
>>>> 01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.10.1.1:49870 -> 10.10.1.43:22
>>>>
>>>> This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?
>>>>
>>>> Thank you!
>>>>
>>>> MA
>>>>
>>




More information about the Snort-users mailing list