Snort mailing list archives
Re: bpf filter to filter on *starting* port?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 09 Feb 2011 10:36:47 +1300
On 02/09/2011 09:52 AM, Bamm Visscher wrote:
If you have a host or network that goes with the port you want to filter, try something like:
No - I said "any host". I want to not record packets going to *any* server running a TCP service on port 9000. This is all easy to do if you have host ips. I have come to the conclusion it isn't possible. If you are doing BPF filters involving "standard" TCP services such as http, smtp, https, you don't see this problem as they are all <1024, and the other port involved in a TCP session is always >1024, so "not port 25" will *always* just ignore TCP services running on port 25. However, if you are wanting to do the same thing for services on ports >1024 (eg proxies, arcserve, SQL), then a BPF filter *will have false matches* as sometimes those port numbers will be used by other TCP sessions. To fix would require BPF to become a bit more state-aware (like what stream5 adds to snort) - which is probably beyond what it sets out to do. eg alert tcp any any -> $HOME_NET 3306 (msg:"someone talking to MySQL server";flow:to_server,established;...) The flow:to_server ensures this never matches against 1.2.3.4:80 -> $HOME_NET:3306 (assuming 1.2.3.4:80 is a webserver of course) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bpf filter to filter on *starting* port? Jason Haar (Feb 07)
- Re: bpf filter to filter on *starting* port? Jason Wallace (Feb 08)
- Re: bpf filter to filter on *starting* port? Jason Haar (Feb 08)
- Re: bpf filter to filter on *starting* port? Jason Wallace (Feb 08)
- Re: bpf filter to filter on *starting* port? Jason Haar (Feb 08)
- Re: bpf filter to filter on *starting* port? Jason Haar (Feb 08)
- Re: bpf filter to filter on *starting* port? Jason Wallace (Feb 08)
- Re: bpf filter to filter on *starting* port? Bamm Visscher (Feb 08)
- Re: bpf filter to filter on *starting* port? Jason Haar (Feb 08)
- Re: bpf filter to filter on *starting* port? Rich Graves (Feb 09)