[Snort-users] filters

Phil Wood cpw at ...440...
Tue Jul 29 18:52:05 EDT 2003


This explanation is for Unix users.  Others would need to have had some
experience at an xterm window.

The BPF syntax, as defined in the 'man tcpdump', (on unix at least) should
be all you need to make a good filter.  

  % man tcpdump
  /  expression
   ^^ two spaces

will get you to the section that defines the primitives used to build
the filters.

You need to be careful.  If you say:

  dst net ( 10.1/16 or 192.168.3/19 )

you will not get complete "sessions" because only packets directed to the
second address in the IP header, that belong to the corresponding
networks, will filter into the application.

A simpler filter:

  net ( 10.1/16 or 192.168.3/19 )

gets packets with either a source IP address or destination IP address
in the ranges supplied.

If you do not want to see any of these packets, but all the rest then
you use the following syntax:

  not net ( 10.1/16 or 192.168.3/19 )

The exclamation point (!) isn't used in these expressions.  However,
you can delve into the packet structure using arithmetic expressions 
including special packet data "accessors" and "relation operators",
one of which is '!=' (which is pronounced "not equal").

An example of the use of a "relation" is:

   'tcp[14:2] == 55808'   (note: two prime's are used on the command line
                                 to enclose special shell syntax characters)

So, try this on your link from the Void:

  # voids_interface=eth2
  # tcpdump -nv -i $void_interface 'tcp[14:2] == 55808'

I'm assuming you will see something.  If not, the place I work is really
special.  Just what you see or (might see) is left as an exercise for the

Hope this helps,

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list