[snort ids] BPF causes duplicated sensors

edenCC · 06-19-2007, 02:49 AM

Hi, ALL;

I'm running snort-2.6 on some RHEL AS4 boxes; using BASE-1.3.6 as a web frontend.
Days before, I added some BPF filters to avoid alerts from known IPs:

Code:

[admin /home/sight]$ cat etc/bsd.pf
not (src net 111.108.16) and not (src net 222.108) and not (src host 161.171.181.191)
[admin /home/sight]$ ps -ef |grep snort
nobody    5023     1  0 Jun19 ?        00:05:02 bin/snort -N -D -i eth0 -g nobody -u nobody -F etc/bsd.pf -c etc/snort.conf

After restarting snort, I found that the web interface takes these newly added BPF filters as new sensors:

Code:

sensor.ID -- sensor-name -----------
64 	 145.145.145.15:eth0:not (src net 111.108.16) and not (src net 222.181) and not (src host 161.171.181.191) 	 3 	 1 	 2 	 1 	 2007-06-18 	 2007-06-19

I think this may be caused by snort itself.
I'm just wandering why will snort take these BFP filters as new sensor entry, and how can I avoid this?

thanks for any hint.

edenCC · 06-19-2007, 09:51 AM

I've fixed it like this:

Code:

#/etc/snort.conf
var KNOWN_HOSTS [_I_P_]
pass $KNOWN_HOSTS any -> $EXTER_NET any

The issue mentioned above seems to be a bug for either BASE-1.3.6 or snort-2.6