[Snort-users] BPF problem

James Lay jlay at ...13475...
Fri Jul 11 13:43:52 EDT 2014


On 2014-07-11 11:34, Mike Patterson wrote:
> Following up to myself: I’ve tried various permutations of my BPF
> filter to no avail. I tried Snort versions 2.9.5.3 (which is what’s 
> on
> my old sensor), 2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading
> my BPF filter, and always, it’s including alerts for IPs and networks
> that are in the filter.
>
> My current filter is of the form:
>
> not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)
>
> I tried a very simple filter - not net 10.0.0.0/24 - and no joy 
> either.
>
> I know that the sensor is not simply looking inside GRE tunnels, like
> Robert was seeing - verified with tcpdump and one of our network
> engineers.
>
> The only substantial difference between these platforms is the one
> with functional BPF filters is built on an Endace DAG, and the other
> is built on an Intel X520 with PF_RING+DNA.
>
> I verified that tcpdump (built against libpcap that comes with
> PF_RING) does accept my filter. I verified that Snort is using that
> same libpcap.
>
> I’m not sure what else to try here. Any suggestions? I can tell
> barnyard2 to ignore alerts for the IPs I’d like to ignore, but it
> would be nice to save Snort the overhead in processing them (and my
> disk space).
>
> Mike

Please copy and paste an alert example.

James




More information about the Snort-users mailing list