LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   [snort ids] BPF causes duplicated sensors (https://www.linuxquestions.org/questions/linux-security-4/%5Bsnort-ids%5D-bpf-causes-duplicated-sensors-562865/)

edenCC 06-19-2007 03:49 AM

[snort ids] BPF causes duplicated sensors
 
Hi, ALL;

I'm running snort-2.6 on some RHEL AS4 boxes; using BASE-1.3.6 as a web frontend.
Days before, I added some BPF filters to avoid alerts from known IPs:

Code:

[admin /home/sight]$ cat etc/bsd.pf
not (src net 111.108.16) and not (src net 222.108) and not (src host 161.171.181.191)
[admin /home/sight]$ ps -ef |grep snort
nobody    5023    1  0 Jun19 ?        00:05:02 bin/snort -N -D -i eth0 -g nobody -u nobody -F etc/bsd.pf -c etc/snort.conf

After restarting snort, I found that the web interface takes these newly added BPF filters as new sensors:
Code:

sensor.ID -- sensor-name -----------
64          145.145.145.15:eth0:not (src net 111.108.16) and not (src net 222.181) and not (src host 161.171.181.191)          3          1          2          1          2007-06-18          2007-06-19

I think this may be caused by snort itself.
I'm just wandering why will snort take these BFP filters as new sensor entry, and how can I avoid this?


thanks for any hint.

edenCC 06-19-2007 10:51 AM

I've fixed it like this:
Code:

#/etc/snort.conf
var KNOWN_HOSTS [_I_P_]
pass $KNOWN_HOSTS any -> $EXTER_NET any

The issue mentioned above seems to be a bug for either BASE-1.3.6 or snort-2.6 :confused:


All times are GMT -5. The time now is 08:12 AM.