[Snort-users] bpf filter to filter on *starting* port?
Jason.Haar at ...294...
Tue Feb 8 02:24:52 EST 2011
I want to run a BPF filter that ignores all traffic to/from (say) any
TCP server running on port 9000
I could use "not port 9000" - but that will match
22.214.171.124:9000->126.96.36.199:80 - so I'd end up throwing away good data
Is there any BPF skulduggery that allows me to say "not starting-port
9000" (ie it needs to be port 9000 IFF the first packet was a SYN
packet). I guess not, as this is really a "session" issue and tcpdump is
stateless - but it should be so easy to implement, and would probably
allow people to correct around 99% of all BPF filters used out there
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users