Snort mailing list archives
Re: BPF filter
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Mon, 21 Apr 2003 10:55:24 +0200
Hi, -> Liuhy wrote:
Hello everyone, In the option of snort command line, there is a "-F", which is followed by a BPF filter file. I have googled it, I only know that it is the abbreviation of "Berkley Packet Filtering", these cann't give me the answer that I want to get. My questions are: 1. What is BPF filter? (not introduced in "man tcpdump", "man snort", I can't enter "man 4 bpf in linux)
It means Berkeley Packet Filter and is a kernel based possibility to access the data on the link layer. The bpf manual page is only avalilable on *BSD systems (FreeBSD, OpenBSD, ...). On Linux, similar instance is called Linux Socket Filter (LSF). For more information google on that (sorry ;) ).
2. How can I write BPF filter file? what is the rules to write it?
BPF is assembler-like code not that easy to write (for a newbie like me at least ;) ). Fortunately, tcpdump has a "-d" switch: linux:~ # tcpdump -i eth1 -d host 192.168.1.1 (000) ldh [12] (001) jeq #0x800 jt 2 jf 6 (002) ld [26] (003) jeq #0xc0a80101 jt 12 jf 4 (004) ld [30] (005) jeq #0xc0a80101 jt 12 jf 13 (006) jeq #0x806 jt 8 jf 7 (007) jeq #0x8035 jt 8 jf 13 (008) ld [28] (009) jeq #0xc0a80101 jt 12 jf 10 (010) ld [38] (011) jeq #0xc0a80101 jt 12 jf 13 (012) ret #96 (013) ret #0 linux:~ # Put that code in a file and there you go... Of course you can write your own code, which, after some practicing may even be better (=faster) than the tcpdump one.
3. In snort FAQ, there is an example as following: snort <options> ``not ( (icmp[0] = 8 or icmp[0] = 0) and host <foo>)'' It's similar to a snort command line, is it right? what is the relation of them?
See above. Snort will translate your's in BPF instructions as tcpdump above and give it to the kernel, where it will be executed on every packet. This is a very fast and good way to through away packets you may be not wanting to see, so use it whenever possible in order to relief Snort from looking at uninteresting packets and loosing your precious CPU time with that. The syntax of the code for tcpdump and Snort is the same (btw. for Ethereal too), since all theese programs are using libpcap, which is hiding the devices like BPF and LSF from the programmer so that portable software based on it may be written.
Thanks in advance! Liuhy 2003/4/21
Regards, Edin -- Edin Dizdarevic ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BPF filter Liuhy (Apr 21)
- Re: BPF filter Chris Reid (Apr 21)
- Re: BPF filter Edin Dizdarevic (Apr 21)