[Snort-users] Re : Re: What is the correct syntax for bpf_file?

Miguel Alvarez miguellvrz9 at ...11827...
Wed Jan 30 12:17:38 EST 2013


Thank you, Todd -- that was it!  I thought I was going crazy! :-)

Thanks again guys,

MA



On Wed, Jan 30, 2013 at 4:15 PM, Todd Wease <twease at ...1935...> wrote:

> On Tue, Jan 29, 2013 at 4:05 PM, Miguel Alvarez <miguellvrz9 at ...11827...>
> wrote:
> >
> > snort-2.9.4 with libpcap 1.3.0.  And you're right, running 'tcpdump -i
> <iface> -vvnn src host 10.10.1.1' doesn't return anything but the alerts
> keep getting logged.  Why is that?!
> >
> > Cheers,
> >
> > MA
>
> Like Rm Kml hinted at, it may be there's vlan.  Try "vlan and src host
> 10.10.1.1" with tcpdump and see if you get anything.  If so, your bpf
> should include vlan, e.g. "vlan and not src host 10.10.1.1".  If this
> doesn't work, can you attach a short pcap of the traffic?
>
> >
> >
> >
> > On Tue, Jan 29, 2013 at 6:53 PM, Rm Kml <rmkml at ...1855...> wrote:
> >>
> >> Thx, Im curious what is your snort version please ?
> >> Maybe you have vlan ?
> >> For example can you write network trafic with tcpdump like and replay
> file on tcpdump + snort with bpf ?
> >> Do you have same pb if you add bpf instructions on snort cmd line ?
> >> Regards
> >> Rmkml
> >>
> >>
> >> ________________________________
> >> From: Miguel Alvarez <miguellvrz9 at ...11827...>;
> >> To: rmkml <rmkml at ...1855...>;
> >> Cc: Snort Users <snort-users at lists.sourceforge.net>;
> >> Subject: Re: [Snort-users] What is the correct syntax for bpf_file?
> >> Sent: Tue, Jan 29, 2013 4:59:20 PM
> >>
> >> Thanks for the reply.  I just have one line just to test:
> >>
> >> not src host (10.10.1.1)
> >>
> >> But it's still triggering alerts after restarting snort.
> >>
> >> 01/29-16:56:07.106637  [**] [1:2010937:2] ET POLICY Suspicious inbound
> to mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {TCP} 10.10.1.1:39944 -> 10.42.1.0:3306
> >>
> >> Any ideas?  I am very familiar with bpf syntax and use it on the
> command line with tcpdump all the time so this is very confusing!
> >>
> >> Thank you,
> >>
> >> MA
> >>
> >>
> >> On Tue, Jan 29, 2013 at 5:44 PM, rmkml <rmkml at ...1855...> wrote:
> >>>
> >>> Hi Miguel,
> >>> Please try this bpf: 'not src host (10.10.1.1 or 10.10.1.2 or
> 10.10.1.3)'
> >>> Regards
> >>> Rmkml
> >>>
> >>>
> >>>
> >>>
> >>> On Tue, 29 Jan 2013, Miguel Alvarez wrote:
> >>>
> >>>> I have a list of my nessus scanners in my /etc/snort/bpf_file but
> they're still triggering alerts.  I've got them listed in the following
> syntax for example:
> >>>> not (src host 10.10.1.1) &&
> >>>> not (src host 10.10.1.2) &&
> >>>> not (src host 10.10.1.3)
> >>>>
> >>>> And my snort process is pointing to it:
> >>>>
> >>>> /usr/sbin/snort -D -i eth6 -u snort -g snort -c /etc/snort/snort.conf
> -l /var/log/snort/eth6 -F /etc/snort/bpf_file
> >>>>
> >>>> And it shows up in the syslog when snorts starts:
> >>>>
> >>>> Jan 29 16:15:53 nids1 snort[940]: Reading filter from bpf file:
> /etc/snort/bpf_file
> >>>> Jan 29 16:15:53 nids1 snort[940]: Snort BPF option: not (src host
> 10.10.1.1) &&
> >>>> not (src host 10.10.1.2) &&
> >>>> not (src host 10.10.1.3)
> >>>>
> >>>> But the alerts keep streaming in (not just this alert):
> >>>>
> >>>> 01/29-16:36:28.235294  [**] [1:2003068:6] ET SCAN Potential SSH Scan
> OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2]
> {TCP} 10.10.1.1:49870 -> 10.10.1.43:22
> >>>>
> >>>> This is snort 2.9.4.0 on CentOS 5.x.  What am I doing wrong?
> >>>>
> >>>> Thank you!
> >>>>
> >>>> MA
> >>>>
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130130/1091bf48/attachment.html>


More information about the Snort-users mailing list