LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-19-2007, 02:49 AM   #1
edenCC
Member
 
Registered: May 2006
Location: China
Distribution: Debian
Posts: 198
Blog Entries: 1

Rep: Reputation: 32
[snort ids] BPF causes duplicated sensors


Hi, ALL;

I'm running snort-2.6 on some RHEL AS4 boxes; using BASE-1.3.6 as a web frontend.
Days before, I added some BPF filters to avoid alerts from known IPs:

Code:
[admin /home/sight]$ cat etc/bsd.pf
not (src net 111.108.16) and not (src net 222.108) and not (src host 161.171.181.191)
[admin /home/sight]$ ps -ef |grep snort
nobody    5023     1  0 Jun19 ?        00:05:02 bin/snort -N -D -i eth0 -g nobody -u nobody -F etc/bsd.pf -c etc/snort.conf
After restarting snort, I found that the web interface takes these newly added BPF filters as new sensors:
Code:
sensor.ID -- sensor-name -----------
64 	 145.145.145.15:eth0:not (src net 111.108.16) and not (src net 222.181) and not (src host 161.171.181.191) 	 3 	 1 	 2 	 1 	 2007-06-18 	 2007-06-19
I think this may be caused by snort itself.
I'm just wandering why will snort take these BFP filters as new sensor entry, and how can I avoid this?


thanks for any hint.

Last edited by edenCC; 06-19-2007 at 02:55 AM.
 
Old 06-19-2007, 09:51 AM   #2
edenCC
Member
 
Registered: May 2006
Location: China
Distribution: Debian
Posts: 198

Original Poster
Blog Entries: 1

Rep: Reputation: 32
I've fixed it like this:
Code:
#/etc/snort.conf
var KNOWN_HOSTS [_I_P_]
pass $KNOWN_HOSTS any -> $EXTER_NET any
The issue mentioned above seems to be a bug for either BASE-1.3.6 or snort-2.6
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to setup snort IDS saini_mw Linux - Security 2 05-15-2006 07:46 AM
developing an ids using snort chax Linux - Security 1 01-10-2006 12:20 PM
developing an ids using snort chax Linux - Networking 1 01-10-2006 11:51 AM
Snort/ACID as an IDS WeNdeL Linux - Security 4 09-10-2004 12:14 PM
snort (ids) not working please help!!! crealkillerI75 Slackware 5 07-18-2002 03:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration