Snort mailing list archives
Re: filters
From: Phil Wood <cpw () lanl gov>
Date: Tue, 29 Jul 2003 19:51:31 -0600
Folks, This explanation is for Unix users. Others would need to have had some experience at an xterm window. The BPF syntax, as defined in the 'man tcpdump', (on unix at least) should be all you need to make a good filter. % man tcpdump / expression ^^ two spaces will get you to the section that defines the primitives used to build the filters. You need to be careful. If you say: dst net ( 10.1/16 or 192.168.3/19 ) you will not get complete "sessions" because only packets directed to the second address in the IP header, that belong to the corresponding networks, will filter into the application. A simpler filter: net ( 10.1/16 or 192.168.3/19 ) gets packets with either a source IP address or destination IP address in the ranges supplied. If you do not want to see any of these packets, but all the rest then you use the following syntax: not net ( 10.1/16 or 192.168.3/19 ) The exclamation point (!) isn't used in these expressions. However, you can delve into the packet structure using arithmetic expressions including special packet data "accessors" and "relation operators", one of which is '!=' (which is pronounced "not equal"). An example of the use of a "relation" is: 'tcp[14:2] == 55808' (note: two prime's are used on the command line to enclose special shell syntax characters) So, try this on your link from the Void: # voids_interface=eth2 # tcpdump -nv -i $void_interface 'tcp[14:2] == 55808' I'm assuming you will see something. If not, the place I work is really special. Just what you see or (might see) is left as an exercise for the reader. Hope this helps, -- Phil Wood, cpw () lanl gov ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- filters Scotts Email (Jul 29)
- Re: filters Jon Baer (Jul 29)
- <Possible follow-ups>
- RE: filters Hutchinson, Andrew (Jul 29)
- RE: filters - FAQ entry? twig les (Jul 29)
- RE: filters Gary Danko (Jul 29)
- Re: filters Phil Wood (Jul 29)