Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: filters

From: Phil Wood <cpw () lanl gov>
Date: Tue, 29 Jul 2003 19:51:31 -0600
Folks,

This explanation is for Unix users.  Others would need to have had some
experience at an xterm window.

The BPF syntax, as defined in the 'man tcpdump', (on unix at least) should
be all you need to make a good filter.  

  % man tcpdump
  /  expression
   ^^ two spaces

will get you to the section that defines the primitives used to build
the filters.

You need to be careful.  If you say:

  dst net ( 10.1/16 or 192.168.3/19 )

you will not get complete "sessions" because only packets directed to the
second address in the IP header, that belong to the corresponding
networks, will filter into the application.

A simpler filter:

  net ( 10.1/16 or 192.168.3/19 )

gets packets with either a source IP address or destination IP address
in the ranges supplied.

If you do not want to see any of these packets, but all the rest then
you use the following syntax:

  not net ( 10.1/16 or 192.168.3/19 )

The exclamation point (!) isn't used in these expressions.  However,
you can delve into the packet structure using arithmetic expressions 
including special packet data "accessors" and "relation operators",
one of which is '!=' (which is pronounced "not equal").

An example of the use of a "relation" is:

   'tcp[14:2] == 55808'   (note: two prime's are used on the command line
                                 to enclose special shell syntax characters)

So, try this on your link from the Void:

  # voids_interface=eth2
  # tcpdump -nv -i $void_interface 'tcp[14:2] == 55808'

I'm assuming you will see something.  If not, the place I work is really
special.  Just what you see or (might see) is left as an exercise for the
reader.

Hope this helps,

-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: