[Snort-users] BPF problem
jlay at ...13475...
Fri Jul 11 13:43:52 EDT 2014
On 2014-07-11 11:34, Mike Patterson wrote:
> Following up to myself: I’ve tried various permutations of my BPF
> filter to no avail. I tried Snort versions 126.96.36.199 (which is what’s
> my old sensor), 188.8.131.52, and 184.108.40.206. Always, Snort says it’s reading
> my BPF filter, and always, it’s including alerts for IPs and networks
> that are in the filter.
> My current filter is of the form:
> not (net 220.127.116.11/8 or not net 10.0.0.0/24 or not 172.16.12.1)
> I tried a very simple filter - not net 10.0.0.0/24 - and no joy
> I know that the sensor is not simply looking inside GRE tunnels, like
> Robert was seeing - verified with tcpdump and one of our network
> The only substantial difference between these platforms is the one
> with functional BPF filters is built on an Endace DAG, and the other
> is built on an Intel X520 with PF_RING+DNA.
> I verified that tcpdump (built against libpcap that comes with
> PF_RING) does accept my filter. I verified that Snort is using that
> same libpcap.
> I’m not sure what else to try here. Any suggestions? I can tell
> barnyard2 to ignore alerts for the IPs I’d like to ignore, but it
> would be nice to save Snort the overhead in processing them (and my
> disk space).
Please copy and paste an alert example.
More information about the Snort-users