|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
seth
d2ms.com
Date: Thu May 02 2013 - 10:53:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I can do some looking into this. But for my editor I am using notepad2. That I got from winsnort web site
Sent by BlackBerry
-----Original Message-----
From: "Castle, Shane" <scastlebouldercounty.org>
Date: Thu, 2 May 2013 15:34:29
To: 'Seth Dunn'<sethd2ms.com>; 'James Lay'<jlayslave-tothe-box.net>; 'Snort'<snort-userslists.sourceforge.net>
Subject: RE: [Snort-users] Network Variables
Speaking of Windows - it's possible that the Windows version of Snort does not correctly read a Windows text file, which is what the BPF file is, and that it expects lines to end with only LF (\n) rather than CR-LF (\n\r) - the latter is the Windows style. (This seems farfetched now that I'm rereading this before sending it, since the snort.conf will have to be processed correctly, but hey, maybe they didn't update the BPF reading section.)
The old Wordpad used to let you save files in Unix line-end style rather than Windows, but I don't see that capability any more. You can get dos2unix from SourceForge that will take care of the conversion, if that's required.
None of the Snort docs admit to allowing comment lines in the BPF expression file - I suspect it is parsed the same way that it would be if it were on the command line, in which a comment would not make sense. Yes, for a filter expression file, allowing comments does make sense - maybe we could get the Snort developers to permit that?
It'd be nice for a Snort developer or innards whiz to comment on this thread. He might shrug and say "run it in Linux, don't use Windows" but still - it's no fun programming in the dark.
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: Seth Dunn [mailto:sethd2ms.com]
Sent: Thursday, May 02, 2013 09:08
To: James Lay; Snort
Subject: Re: [Snort-users] Network Variables
Yeah, it is a windows thing.....gotta love it. :D
-----Original Message-----
From: James Lay [mailto:jlayslave-tothe-box.net]
Sent: Thursday, May 02, 2013 11:03 AM
To: Snort
Subject: Re: [Snort-users] Network Variables
Yea that was a single quote ;) Guessing it's a windows-ism, but glad
it's working now :)
James
On 2013-05-02 09:01, Seth Dunn wrote:
> If I do quotes " vs. apostrophe '
> That seems to work on the command line
>
> -----Original Message-----
> From: Castle, Shane [mailto:scastlebouldercounty.org]
> Sent: Thursday, May 02, 2013 10:51 AM
> To: Seth Dunn; 'James Lay'; 'Snort'
> Subject: RE: [Snort-users] Network Variables
>
> I dunno - I can parse that BPF expression several different ways, and
> the parsing results in different capture characteristics.
>
> Does the first "not" apply to just "net 10.10.0.0/24" or to the expr
> "net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80"? (For
> instance.) This depends on the precedence and order of how Snort
> parses the string. I can find no doc on this in the Snort manpage, the
> tcpdump manpage, or the Snort manual. I suggest using parentheses for
> grouping so that your intent is clear.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
>
> -----Original Message-----
> From: Seth Dunn [mailto:sethd2ms.com]
> Sent: Thursday, May 02, 2013 08:09
> To: James Lay; Snort
> Subject: Re: [Snort-users] Network Variables
>
> Also of note.
> It seems that if snort starts with a bpf file configured....then for
> whatever reason, all traffic is no longer monitored, even though
> snort
> has started.
> So while this rule::
> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
> net
> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>
> is pretty specific.....
> I have another rule set in my local.rules file that should alert on
> any
> FTP attempt to IP 10.76.65.1....and if the bpf file is configured for
> snort, then the attempt is not alerted by snort.
> If I remove the bpf file from being used, then any FTP attempt is
> again
> alerted.
>
>
>
> From: James Lay [mailto:jlayslave-tothe-box.net]
> Sent: Thursday, May 02, 2013 8:10 AM
> To: Snort
> Subject: Re: [Snort-users] Network Variables
>
>
>
> Quotation marks may be needed...try appending via command line as
> well.
>
>
>
> James
>
>
>
> On May 2, 2013, at 5:50 AM, Seth Dunn <sethd2ms.com> wrote:
>
>
>
>
>
> What is DAQ? I have seen that, but have no idea what that is.
>
> As far as my bpf file goes, if it is like this::
>
>
>
> #not net 10.10.0.0/24 and not net 10.30.0.0/24
>
> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
> net
> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>
>
> It will fail with::
>
> Reading filter from bpf file: D:\Snort\etc\ignore2.bpf
>
> ERROR: short read D:\Snort\etc\ignore2.bpf (169 != 170)
>
> Fatal Error, Quitting..
>
>
>
> If I remove the commented line, then snort starts fine.
> If I try to have multiple lines in the file, (all being rules, no
> comments) the it will fail with a similar error as above.
> I have never seen a DAQ error.
>
>
>
> From: Russ Combs [mailto:rcombssourcefire.com]
> Sent: Thursday, May 02, 2013 12:08 AM
> To: waldo kitty
> Cc: snort-userslists.sourceforge.net
> Subject: Re: [Snort-users] Network Variables
>
>
>
> Snort does allow comments in the BPF file, starting with # to end of
> line. If there is a syntax error, you should see something like:
>
>
>
> ERROR: Can't set DAQ BPF filter to '
>
> ...
>
> ' (pcap_daq_set_filter: pcap_compile: syntax error)!
>
> Fatal Error, Quitting..
>
>
>
> What DAQ are you using? Please send the BPF file that fails and the
> error that you get.
>
>
>
> On Wed, May 1, 2013 at 10:07 PM, waldo kitty
> <wkitty42windstream.net>
> wrote:
>
> On 5/1/2013 13:09, Seth Dunn wrote:
>> But any ideas why snort fails to start if I add in a '#' to comment
>> a
>> line??
>
> i have no clue but it sounds like a coding error not allowing comment
> lines i the BPF file... only joel or one of the snort dev guys can
> tell
> us that... or possibly a code diver who can root around in the snort
> code ;)
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
> Please keep mailing list traffic on the list unless
> private contact is specifically requested and granted.
>
>
>
------------------------------------------------------------------------
> ------
> Introducing AppDynamics Lite, a free troubleshooting tool for
> Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
------------------------------------------------------------------------
> ------
> Introducing AppDynamics Lite, a free troubleshooting tool for
> Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
>
>
http://p.sf.net/sfu/appdyn_d2d_ap1______________________________________
> _________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------
------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]