Snort mailing list archives

RE: BPF Filters howto

From: Ben Keepper <lists () paladinss com>
Date: 28 Oct 2002 08:29:40 -0800

Thanks Andrew,

I understand your syntax, now how do I get snort to use.  Based on the
documentation, would I drop your line below to a text file and then call
that text file with the -F option when starting Snort?

Ben

On Mon, 2002-10-28 at 08:21, Hutchinson, Andrew wrote:

As a reference, I'd recommend Northcutt's book "Network Intrusion
Detection: An Analyst's Handbook", 2nd ed.  It does a pretty good job of
explaining BPF filters, from the general to the very specific (logical
ANDing to examine specific bits or bit combinations, etc.).

For what you want to do, perhaps this will help:

Lets say that you want to ignore traffic from the 192.168.10.0/24
network destined for port 22:

'!(src net 192.168.10.0/24 && dst port 22)'

You just define the traffic that you want to ignore (in this case,
anything that is both from 192.168.10.0/24 and destined for port 22),
and then negate it with the logical not (!).

Hope that helps.

Andrew Hutchinson
Vanderbilt University Medical Center
Informatics/NCS/Network Security

-----Original Message-----
From: Ben Keepper [mailto:lists () paladinss com]
Sent: Monday, October 28, 2002 10:08 AM
To: Snort-Users
Subject: [Snort-users] BPF Filters howto


All,

I am trying to figure out how to use BPF filters to ignore certain
traffic with Snort.

Other than the Snort manpage, documentation on how to use BPF filters
seems to be scarce.


I see this in the Snort FAQ, but it doesn't seem to be complete.

"Use bpf on the commandline to ignore a host (for example):

       $ snort <commandline options> not host 192.168.0.1"


Also I would like to ignore traffic on specific destination port from a
particular subnet.

Can anybody help with some documentation or a quick howto.

TIA,

Ben






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
*** Paladin Security Systems scanned this email for malicious content
***
*** IMPORTANT: Do not open attachments from unrecognized senders  ***






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BPF Filters howto Ben Keepper (Oct 28)
- Re: BPF Filters howto Ashley Thomas (Oct 28)
- <Possible follow-ups>
- RE: BPF Filters howto Hutchinson, Andrew (Oct 28)
  - RE: BPF Filters howto Ben Keepper (Oct 28)
- RE: BPF Filters howto Hutchinson, Andrew (Oct 28)
- RE: BPF Filters howto Little Mitty (Oct 28)
- Re: BPF Filters howto Little Mitty (Oct 28)