Home page logo
/

snort logo Snort mailing list archives

Re: Network Variables
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Thu, 2 May 2013 14:50:55 +0000

I dunno - I can parse that BPF expression several different ways, and the parsing results in different capture 
characteristics.

Does the first "not" apply to just "net 10.10.0.0/24" or to the expr "net 10.10.0.0/24 and dst host 10.75.45.1 && dst 
port 80"? (For instance.) This depends on the precedence and order of how Snort parses the string. I can find no doc on 
this in the Snort manpage, the tcpdump manpage, or the Snort manual. I suggest using parentheses for grouping so that 
your intent is clear.

-- 
Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Seth Dunn [mailto:seth () d2ms com] 
Sent: Thursday, May 02, 2013 08:09
To: James Lay; Snort
Subject: Re: [Snort-users] Network Variables

Also of note.
It seems that if snort starts with a bpf file configured....then for whatever reason, all traffic is no longer 
monitored, even though snort has started.
So while this rule::
not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net 10.30.0.0/24 and dst host 10.75.45.1 && dst port 
80

is pretty specific.....
I have another rule set in my local.rules file that should alert on any FTP attempt to IP 10.76.65.1....and if the bpf 
file is configured for snort, then the attempt is not alerted by snort.
If I remove the bpf file from being used, then any FTP attempt is again alerted.

 

From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Thursday, May 02, 2013 8:10 AM
To: Snort
Subject: Re: [Snort-users] Network Variables

 

Quotation marks may be needed...try appending via command line as well.

 

James

 

On May 2, 2013, at 5:50 AM, Seth Dunn <seth () d2ms com> wrote:





What is DAQ?  I have seen that, but have no idea what that is.

As far as my bpf file goes, if it is like this::

 

#not net 10.10.0.0/24 and not net 10.30.0.0/24

not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net 10.30.0.0/24 and dst host 10.75.45.1 && dst port 
80


It will fail with::

Reading filter from bpf file: D:\Snort\etc\ignore2.bpf

ERROR: short read D:\Snort\etc\ignore2.bpf (169 != 170)

Fatal Error, Quitting..

 

If I remove the commented line, then snort starts fine.
If I try to have multiple lines in the file, (all being rules, no comments) the it will fail with a similar error as 
above.
I have never seen a DAQ error.

 

From: Russ Combs [mailto:rcombs () sourcefire com] 
Sent: Thursday, May 02, 2013 12:08 AM
To: waldo kitty
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Network Variables

 

Snort does allow comments in the BPF file, starting with # to end of line.  If there is a syntax error, you should see 
something like:

 

ERROR: Can't set DAQ BPF filter to '

...      

' (pcap_daq_set_filter: pcap_compile: syntax error)!

Fatal Error, Quitting..

 

What DAQ are you using?  Please send the BPF file that fails and the error that you get.

 

On Wed, May 1, 2013 at 10:07 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 5/1/2013 13:09, Seth Dunn wrote:
But any ideas why snort fails to start if I add in a '#' to comment a
line??

i have no clue but it sounds like a coding error not allowing comment lines i
the BPF file... only joel or one of the snort dev guys can tell us that... or
possibly a code diver who can root around in the snort code ;)


--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]