-   Linux - Security (
-   -   [snort ids] BPF causes duplicated sensors (

edenCC 06-19-2007 03:49 AM

[snort ids] BPF causes duplicated sensors
Hi, ALL;

I'm running snort-2.6 on some RHEL AS4 boxes; using BASE-1.3.6 as a web frontend.
Days before, I added some BPF filters to avoid alerts from known IPs:


[admin /home/sight]$ cat etc/
not (src net 111.108.16) and not (src net 222.108) and not (src host
[admin /home/sight]$ ps -ef |grep snort
nobody    5023    1  0 Jun19 ?        00:05:02 bin/snort -N -D -i eth0 -g nobody -u nobody -F etc/ -c etc/snort.conf

After restarting snort, I found that the web interface takes these newly added BPF filters as new sensors:

sensor.ID -- sensor-name -----------
64 (src net 111.108.16) and not (src net 222.181) and not (src host          3          1          2          1          2007-06-18          2007-06-19

I think this may be caused by snort itself.
I'm just wandering why will snort take these BFP filters as new sensor entry, and how can I avoid this?

thanks for any hint.

edenCC 06-19-2007 10:51 AM

I've fixed it like this:

pass $KNOWN_HOSTS any -> $EXTER_NET any

The issue mentioned above seems to be a bug for either BASE-1.3.6 or snort-2.6 :confused:

All times are GMT -5. The time now is 08:12 AM.