[Snort-users] bpf filter to filter on *starting* port?

Jason Haar Jason.Haar at ...294...
Tue Feb 8 02:24:52 EST 2011


Hi there

I want to run a BPF filter that ignores all traffic to/from (say) any
TCP server running on port 9000

I could use "not port 9000" - but that will match
1.2.3.4:9000->5.6.7.8:80 - so I'd end up throwing away good data

Is there any BPF skulduggery that allows me to say "not starting-port
9000" (ie it needs to be port 9000 IFF the first packet was a SYN
packet). I guess not, as this is really a "session" issue and tcpdump is
stateless - but it should be so easy to implement, and would probably
allow people to correct around 99% of all BPF filters used out there
today (ahem!)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list