[Snort-users] BPF filter
edin.dizdarevic at ...7509...
Mon Apr 21 01:57:03 EDT 2003
> Hello everyone,
> In the option of snort command line, there is a "-F", which is
> followed by a BPF filter file. I have googled it, I only know that it
> is the abbreviation of "Berkley Packet Filtering", these cann't give
> me the answer that I want to get. My questions are:
> 1. What is BPF filter? (not introduced in "man tcpdump", "man snort",
> I can't enter "man 4 bpf in linux)
It means Berkeley Packet Filter and is a kernel based possibility to
access the data on the link layer. The bpf manual page is only
avalilable on *BSD systems (FreeBSD, OpenBSD, ...). On Linux, similar
instance is called Linux Socket Filter (LSF). For more information
google on that (sorry ;) ).
> 2. How can I write BPF filter file? what is the rules to write it?
BPF is assembler-like code not that easy to write (for a newbie like
me at least ;) ). Fortunately, tcpdump has a "-d" switch:
linux:~ # tcpdump -i eth1 -d host 192.168.1.1
(000) ldh 
(001) jeq #0x800 jt 2 jf 6
(002) ld 
(003) jeq #0xc0a80101 jt 12 jf 4
(004) ld 
(005) jeq #0xc0a80101 jt 12 jf 13
(006) jeq #0x806 jt 8 jf 7
(007) jeq #0x8035 jt 8 jf 13
(008) ld 
(009) jeq #0xc0a80101 jt 12 jf 10
(010) ld 
(011) jeq #0xc0a80101 jt 12 jf 13
(012) ret #96
(013) ret #0
Put that code in a file and there you go...
Of course you can write your own code, which, after some
practicing may even be better (=faster) than the tcpdump one.
> 3. In snort FAQ, there is an example as following:
> snort <options> ``not ( (icmp = 8 or icmp
> = 0) and host <foo>)'' It's similar to a snort command line, is it
> right? what is the relation of them?
See above. Snort will translate your's in BPF instructions as tcpdump
above and give it to the kernel, where it will be executed on every
packet. This is a very fast and good way to through away packets you may
be not wanting to see, so use it whenever possible in order to relief
Snort from looking at uninteresting packets and loosing your precious
CPU time with that.
The syntax of the code for tcpdump and Snort is the same (btw. for
Ethereal too), since all theese programs are using libpcap, which is
hiding the devices like BPF and LSF from the programmer so that portable
software based on it may be written.
> Thanks in advance!
> Liuhy 2003/4/21
More information about the Snort-users