Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Something wrong with this syntax?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Something wrong with this syntax?


Posted by TBoNe on March 30, 2005 06:59:30

/usr/local/bin/snort_eth3 -c /var/snort/eth3/snort.conf -i eth3 -D not host '(158.74.2.50)'

The issue at hand is I specifiy not host '(158.74.2.50)' and snort executes correctly, however when I generate Nessus traffic from 158.74.2.50 it still gets logged. I have also tried not host 158.74.2.50 with the same affect. I know I can create BFP filters but I only really need to filter one host so its fine to just disable it via the command line. Any idea why this ip is not being ignored?

snort 2.3.2
barnyard 0.2.0
sguil 0.52.0
oinkmaster 1.1
red hat els 3.0
kernel 2.4.21

Posted by TBoNe on April 01, 2005 06:26:32

I have also tried using the -F switch and created a BPF filter below is my snort.filt

not host 158.74.2.50

Still no avail. Anyone point me in the right direction?????

Posted by TBoNe on April 01, 2005 08:03:09

I have also tried using the -F switch and created a BPF filter below is my snort.filt

not host 158.74.2.50

Still no avail. Anyone point me in the right direction?????

Posted by bfranklin on April 03, 2005 15:55:56

T,

Would you happen to be on a VLAN? All packet headers are offset when using vlans, so your BPF would
have to be "vlan and not host..."

-B

Posted by TBoNe on April 05, 2005 07:10:20

Yes this is in a vlan enviroment, so the sytanx would look like "vlan 50 not host xxx.xxx.xxx.xxx" if the system was on vlan 50 for example? I will spend some time on this today and see if I can get a resolutlion.


Thanks!

Posted by TBoNe on April 07, 2005 11:03:15

I went ahead and used this syntax /usr/local/bin/snort_eth3 -c /var/snort/eth3/snort.conf -i eth3 -D vlan 50 and not host 192.1.50.50 and I am still seeing traffic from this host. I am running this via a init script so I am not sure if that makes a diffrence.


Posted by bfranklin on April 07, 2005 18:11:20

Try just "vlan and not host w.x.y.z". The vlan keyword, without argument, simply calculates the
appropriate byte offsets for packet headers on all vlans.

Posted by TBoNe on April 08, 2005 06:04:50

Bfranklin, worked like a charm. That did resolve the issue. Many thanks!
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.