NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> current

Re: [Snort-users] Network Variables

From: James Lay (jlayslave-tothe-box.net)
Date: Thu May 02 2013 - 10:03:11 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yea that was a single quote ;) Guessing it's a windows-ism, but glad
it's working now :)

James

On 2013-05-02 09:01, Seth Dunn wrote:
> If I do quotes " vs. apostrophe '
> That seems to work on the command line
>
> -----Original Message-----
> From: Castle, Shane [mailto:scastlebouldercounty.org]
> Sent: Thursday, May 02, 2013 10:51 AM
> To: Seth Dunn; 'James Lay'; 'Snort'
> Subject: RE: [Snort-users] Network Variables
>
> I dunno - I can parse that BPF expression several different ways, and
> the parsing results in different capture characteristics.
>
> Does the first "not" apply to just "net 10.10.0.0/24" or to the expr
> "net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80"? (For
> instance.) This depends on the precedence and order of how Snort
> parses
> the string. I can find no doc on this in the Snort manpage, the
> tcpdump
> manpage, or the Snort manual. I suggest using parentheses for
> grouping
> so that your intent is clear.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
>
> -----Original Message-----
> From: Seth Dunn [mailto:sethd2ms.com]
> Sent: Thursday, May 02, 2013 08:09
> To: James Lay; Snort
> Subject: Re: [Snort-users] Network Variables
>
> Also of note.
> It seems that if snort starts with a bpf file configured....then for
> whatever reason, all traffic is no longer monitored, even though
> snort
> has started.
> So while this rule::
> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
> net
> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>
> is pretty specific.....
> I have another rule set in my local.rules file that should alert on
> any
> FTP attempt to IP 10.76.65.1....and if the bpf file is configured for
> snort, then the attempt is not alerted by snort.
> If I remove the bpf file from being used, then any FTP attempt is
> again
> alerted.
>
>
>
> From: James Lay [mailto:jlayslave-tothe-box.net]
> Sent: Thursday, May 02, 2013 8:10 AM
> To: Snort
> Subject: Re: [Snort-users] Network Variables
>
>
>
> Quotation marks may be needed...try appending via command line as
> well.
>
>
>
> James
>
>
>
> On May 2, 2013, at 5:50 AM, Seth Dunn <sethd2ms.com> wrote:
>
>
>
>
>
> What is DAQ? I have seen that, but have no idea what that is.
>
> As far as my bpf file goes, if it is like this::
>
>
>
> #not net 10.10.0.0/24 and not net 10.30.0.0/24
>
> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
> net
> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>
>
> It will fail with::
>
> Reading filter from bpf file: D:\Snort\etc\ignore2.bpf
>
> ERROR: short read D:\Snort\etc\ignore2.bpf (169 != 170)
>
> Fatal Error, Quitting..
>
>
>
> If I remove the commented line, then snort starts fine.
> If I try to have multiple lines in the file, (all being rules, no
> comments) the it will fail with a similar error as above.
> I have never seen a DAQ error.
>
>
>
> From: Russ Combs [mailto:rcombssourcefire.com]
> Sent: Thursday, May 02, 2013 12:08 AM
> To: waldo kitty
> Cc: snort-userslists.sourceforge.net
> Subject: Re: [Snort-users] Network Variables
>
>
>
> Snort does allow comments in the BPF file, starting with # to end of
> line. If there is a syntax error, you should see something like:
>
>
>
> ERROR: Can't set DAQ BPF filter to '
>
> ...
>
> ' (pcap_daq_set_filter: pcap_compile: syntax error)!
>
> Fatal Error, Quitting..
>
>
>
> What DAQ are you using? Please send the BPF file that fails and the
> error that you get.
>
>
>
> On Wed, May 1, 2013 at 10:07 PM, waldo kitty
> <wkitty42windstream.net>
> wrote:
>
> On 5/1/2013 13:09, Seth Dunn wrote:
>> But any ideas why snort fails to start if I add in a '#' to comment
>> a
>> line??
>
> i have no clue but it sounds like a coding error not allowing comment
> lines i the BPF file... only joel or one of the snort dev guys can
> tell
> us that... or possibly a code diver who can root around in the snort
> code ;)
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
> Please keep mailing list traffic on the list unless
> private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------
> ------
> Introducing AppDynamics Lite, a free troubleshooting tool for
> Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------------------------------------------------
> ------
> Introducing AppDynamics Lite, a free troubleshooting tool for
> Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
>
> http://p.sf.net/sfu/appdyn_d2d_ap1______________________________________
> _________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]