[Snort-users] BPF problem

Mike Patterson mike.patterson at ...16895...
Fri Jul 11 14:44:51 EDT 2014


On Jul 11, 2014, at 2:14 PM, James Lay <jlay at ...13475...> wrote:

> On 2014-07-11 12:05, Mike Patterson wrote:
>> On Jul 11, 2014, at 2:00 PM, James Lay <jlay at ...13475...> 
>> wrote:
>> 
>>> On 2014-07-11 11:55, Mike Patterson wrote:
>>>> On Jul 11, 2014, at 1:49 PM, waldo kitty <wkitty42 at ...14940...>
>>>> wrote:
>>>> 
>>>>> On 7/11/2014 1:34 PM, Mike Patterson wrote:
>>>>>> Following up to myself: I’ve tried various permutations of my BPF
>>>>>> filter to
>>>>>> no avail. I tried Snort versions 2.9.5.3 (which is what’s on my 
>>>>>> old
>>>>>> sensor),
>>>>>> 2.9.6.0, and 2.9.6.1. Always, Snort says it’s reading my BPF
>>>>>> filter, and
>>>>>> always, it’s including alerts for IPs and networks that are in 
>>>>>> the
>>>>>> filter.
>>>>>> 
>>>>>> My current filter is of the form:
>>>>>> 
>>>>>> not (net 1.2.3.4/8 or not net 10.0.0.0/24 or not 172.16.12.1)
>>>>> 
>>>>> this may not be related to your problem but i can't help seeing 
>>>>> the
>>>>> double
>>>>> negatives in the above... are you wanting to include or exclude
>>>>> traffic to/from
>>>>> 10.0.0.0/24 and 172.16.12.1?
>>>>> 
>>>>> if you want to exclude traffic from them, perhaps you mean to use
>>>>> 
>>>>> not (net 1.2.3.4/8 or net 10.0.0.0/24 or 172.16.12.1)
>>>> 
>>>> That’s actually what I’m using, I just can’t transcribe properly.
>>>> 
>>>> Mike
>>> 
>>> Give:
>>> 
>>> not (net 1.2.3.4/8 or net 10.0.0.0/16 or 172.16.12.1)
>> 
>> No joy.
>> 
>> Mike
> 
> This worked for me ok:
> 
> sudo snort -i eth0 -c snort/snort.conf not net 10.0.0.0/8
> 
> You can also test just BPF ability with:
> 
> sudo snort -i eth0 not net 10.0.0.0/8

Sadly, not for me:

sudo /usr/local/bin/snort -i dna1 at ...183... --daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive not net (my entire netblock)

provides a firehose. But:

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: not net (my netblock)
pfring_dna DAQ configured to passive.
Acquiring network traffic from "dna1 at ...183...".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.1 GRE (Build 56) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

I know that’s an older pcap version, but it’s what ships with PF_RING.

Mike





More information about the Snort-users mailing list