Snort mailing list archives
Re: Snort BPF.filter doesn't work
From: Robert Millott <robm () millottandassociates com>
Date: Fri, 11 Jul 2014 08:01:57 -0400
The problem I had was that I was trying to filter on the address 192.168.1.1. src and dst addresses were the addresses of the GRE tunnel, so they did not match the src and dst address filters I had in place. Within the gre encapsulated packet was the address 192.168.1.1 and that is what set the snort alert off, but since it wasn''t the packets src or dst address, the bpf filter didn't catch it. To fix it, I added gre to the bpf filter, ie not (proto gre or host address 192.168.1.1) I chose to drop all GRE packets, figuring I would catch the traffic im looking for when it isn't encapsulated. Then I could filter the 192.168.1.1 traffic. Hope that helps someone else On Thu, Jul 10, 2014 at 9:26 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 7/10/2014 2:13 PM, Robert Millott wrote:All Finally figured it out. Thanx Jeremy for leading me in the rightdirection.The traffic I was looking at was GRE encapsulated, so while the bpffilters wereignoring packets based on src and dst ip address, the snort rules wereseeingthe encapsulated data, which contained the 192.168.1.1 address snort waslookingfor , and that's why snort alerts were firing despite my telling it todropthose addresses.so... ummm... what was the solution so that others running into the same problem might find it instead of posting about the same problem in the future? ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort BPF.filter doesn't work, (continued)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work James Lay (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 10)
- Re: Snort BPF.filter doesn't work Jeremy Hoel (Jul 10)
- Re: Snort BPF.filter doesn't work waldo kitty (Jul 10)
- Re: Snort BPF.filter doesn't work Robert Millott (Jul 11)
- Re: Snort BPF.filter doesn't work waldo kitty (Jul 11)