|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: beenph (beenph
gmail.com)
Date: Thu May 02 2013 - 12:32:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This might help you Seth
http://biot.com/capstats/bpf.html
On Thu, May 2, 2013 at 1:23 PM, Seth Dunn <sethd2ms.com> wrote:
> So now my question comes, since you were wondering about the rule I was
> using.
> This is my rule::
> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net
> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>
> By my understanding, and my desire to see happen is this.
> Traffic from the network 10.10.0.0/24 going to http at 10.75.45.1 should
> be ignored.
> Also, traffic from the network 10.30.0.0/24 going to http at 10.75.45.1
> should be ignored.
> All other traffic is still monitored.
>
> Is this correct, base on the rule above, or should it be worded another
> way?
>
> -----Original Message-----
> From: Castle, Shane [mailto:scastlebouldercounty.org]
> Sent: Thursday, May 02, 2013 11:34 AM
> To: Seth Dunn; 'James Lay'; 'Snort'
> Subject: RE: [Snort-users] Network Variables
>
> Speaking of Windows - it's possible that the Windows version of Snort
> does not correctly read a Windows text file, which is what the BPF file
> is, and that it expects lines to end with only LF (\n) rather than CR-LF
> (\n\r) - the latter is the Windows style. (This seems farfetched now
> that I'm rereading this before sending it, since the snort.conf will
> have to be processed correctly, but hey, maybe they didn't update the
> BPF reading section.)
>
> The old Wordpad used to let you save files in Unix line-end style rather
> than Windows, but I don't see that capability any more. You can get
> dos2unix from SourceForge that will take care of the conversion, if
> that's required.
>
> None of the Snort docs admit to allowing comment lines in the BPF
> expression file - I suspect it is parsed the same way that it would be
> if it were on the command line, in which a comment would not make sense.
> Yes, for a filter expression file, allowing comments does make sense -
> maybe we could get the Snort developers to permit that?
>
> It'd be nice for a Snort developer or innards whiz to comment on this
> thread. He might shrug and say "run it in Linux, don't use Windows" but
> still - it's no fun programming in the dark.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
>
>
> -----Original Message-----
> From: Seth Dunn [mailto:sethd2ms.com]
> Sent: Thursday, May 02, 2013 09:08
> To: James Lay; Snort
> Subject: Re: [Snort-users] Network Variables
>
> Yeah, it is a windows thing.....gotta love it. :D
>
> -----Original Message-----
> From: James Lay [mailto:jlayslave-tothe-box.net]
> Sent: Thursday, May 02, 2013 11:03 AM
> To: Snort
> Subject: Re: [Snort-users] Network Variables
>
> Yea that was a single quote ;) Guessing it's a windows-ism, but glad
> it's working now :)
>
> James
>
> On 2013-05-02 09:01, Seth Dunn wrote:
>> If I do quotes " vs. apostrophe '
>> That seems to work on the command line
>>
>> -----Original Message-----
>> From: Castle, Shane [mailto:scastlebouldercounty.org]
>> Sent: Thursday, May 02, 2013 10:51 AM
>> To: Seth Dunn; 'James Lay'; 'Snort'
>> Subject: RE: [Snort-users] Network Variables
>>
>> I dunno - I can parse that BPF expression several different ways, and
>> the parsing results in different capture characteristics.
>>
>> Does the first "not" apply to just "net 10.10.0.0/24" or to the expr
>> "net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80"? (For
>> instance.) This depends on the precedence and order of how Snort
>> parses the string. I can find no doc on this in the Snort manpage, the
>
>> tcpdump manpage, or the Snort manual. I suggest using parentheses for
>> grouping so that your intent is clear.
>>
>> --
>> Shane Castle
>> Data Security Mgr, Boulder County IT
>>
>> -----Original Message-----
>> From: Seth Dunn [mailto:sethd2ms.com]
>> Sent: Thursday, May 02, 2013 08:09
>> To: James Lay; Snort
>> Subject: Re: [Snort-users] Network Variables
>>
>> Also of note.
>> It seems that if snort starts with a bpf file configured....then for
>> whatever reason, all traffic is no longer monitored, even though
>> snort
>> has started.
>> So while this rule::
>> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
>> net
>> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>>
>> is pretty specific.....
>> I have another rule set in my local.rules file that should alert on
>> any
>> FTP attempt to IP 10.76.65.1....and if the bpf file is configured for
>> snort, then the attempt is not alerted by snort.
>> If I remove the bpf file from being used, then any FTP attempt is
>> again
>> alerted.
>>
>>
>>
>> From: James Lay [mailto:jlayslave-tothe-box.net]
>> Sent: Thursday, May 02, 2013 8:10 AM
>> To: Snort
>> Subject: Re: [Snort-users] Network Variables
>>
>>
>>
>> Quotation marks may be needed...try appending via command line as
>> well.
>>
>>
>>
>> James
>>
>>
>>
>> On May 2, 2013, at 5:50 AM, Seth Dunn <sethd2ms.com> wrote:
>>
>>
>>
>>
>>
>> What is DAQ? I have seen that, but have no idea what that is.
>>
>> As far as my bpf file goes, if it is like this::
>>
>>
>>
>> #not net 10.10.0.0/24 and not net 10.30.0.0/24
>>
>> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
>> net
>> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>>
>>
>> It will fail with::
>>
>> Reading filter from bpf file: D:\Snort\etc\ignore2.bpf
>>
>> ERROR: short read D:\Snort\etc\ignore2.bpf (169 != 170)
>>
>> Fatal Error, Quitting..
>>
>>
>>
>> If I remove the commented line, then snort starts fine.
>> If I try to have multiple lines in the file, (all being rules, no
>> comments) the it will fail with a similar error as above.
>> I have never seen a DAQ error.
>>
>>
>>
>> From: Russ Combs [mailto:rcombssourcefire.com]
>> Sent: Thursday, May 02, 2013 12:08 AM
>> To: waldo kitty
>> Cc: snort-userslists.sourceforge.net
>> Subject: Re: [Snort-users] Network Variables
>>
>>
>>
>> Snort does allow comments in the BPF file, starting with # to end of
>> line. If there is a syntax error, you should see something like:
>>
>>
>>
>> ERROR: Can't set DAQ BPF filter to '
>>
>> ...
>>
>> ' (pcap_daq_set_filter: pcap_compile: syntax error)!
>>
>> Fatal Error, Quitting..
>>
>>
>>
>> What DAQ are you using? Please send the BPF file that fails and the
>> error that you get.
>>
>>
>>
>> On Wed, May 1, 2013 at 10:07 PM, waldo kitty
>> <wkitty42windstream.net>
>> wrote:
>>
>> On 5/1/2013 13:09, Seth Dunn wrote:
>>> But any ideas why snort fails to start if I add in a '#' to comment
>>> a
>>> line??
>>
>> i have no clue but it sounds like a coding error not allowing comment
>> lines i the BPF file... only joel or one of the snort dev guys can
>> tell
>> us that... or possibly a code diver who can root around in the snort
>> code ;)
>>
>>
>> --
>> NOTE: No off-list assistance is given without prior approval.
>> Please keep mailing list traffic on the list unless
>> private contact is specifically requested and granted.
>>
>>
>>
> ------------------------------------------------------------------------
>> ------
>> Introducing AppDynamics Lite, a free troubleshooting tool for
>> Java/.NET
>> Get 100% visibility into your production application - at no cost.
>> Code-level diagnostics for performance bottlenecks with <2% overhead
>> Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap1
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>>
>>
> ------------------------------------------------------------------------
>> ------
>> Introducing AppDynamics Lite, a free troubleshooting tool for
>> Java/.NET
>> Get 100% visibility into your production application - at no cost.
>> Code-level diagnostics for performance bottlenecks with <2% overhead
>> Download for free and get started troubleshooting in minutes.
>>
>>
> http://p.sf.net/sfu/appdyn_d2d_ap1______________________________________
>> _________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>
>
> ------------------------------------------------------------------------
> ------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> ------------------------------------------------------------------------
> ------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]