[Snort-users] BPF problem

James Lay jlay at ...13475...
Fri Jul 11 14:14:56 EDT 2014


On 2014-07-11 12:05, Mike Patterson wrote:
> On Jul 11, 2014, at 2:00 PM, James Lay <jlay at ...13475...> 
> wrote:
>
>> On 2014-07-11 11:55, Mike Patterson wrote:
>>> On Jul 11, 2014, at 1:49 PM, waldo kitty <wkitty42 at ...14940...>
>>> wrote:
>>>
>>>> On 7/11/2014 1:34 PM, Mike Patterson wrote:
>>>>> Following up to myself: I’ve tried various permutations of my BPF
>>>>> filter to
>>>>> no avail. I tried Snort versions 2.9.5.3 (which is what’s on my 
>>>>> old
>>>>> sensor),
>>>>> 2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading my BPF
>>>>> filter, and
>>>>> always, it’s including alerts for IPs and networks that are in 
>>>>> the
>>>>> filter.
>>>>>
>>>>> My current filter is of the form:
>>>>>
>>>>> not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)
>>>>
>>>> this may not be related to your problem but i can't help seeing 
>>>> the
>>>> double
>>>> negatives in the above... are you wanting to include or exclude
>>>> traffic to/from
>>>> 10.0.0.0/24 and 172.16.12.1?
>>>>
>>>> if you want to exclude traffic from them, perhaps you mean to use
>>>>
>>>> not (net 1.2.3.4/8 or net 10.0.0.0/24 or 172.16.12.1)
>>>
>>> That’s actually what I’m using, I just can’t transcribe properly.
>>>
>>> Mike
>>
>> Give:
>>
>> not (net 1.2.3.4/8 or net 10.0.0.0/16 or 172.16.12.1)
>
> No joy.
>
> Mike

This worked for me ok:

sudo snort -i eth0 -c snort/snort.conf not net 10.0.0.0/8

You can also test just BPF ability with:

sudo snort -i eth0 not net 10.0.0.0/8

James




More information about the Snort-users mailing list