[Snort-users] bpf filter to filter on *starting* port?

Bamm Visscher bamm.visscher at ...11827...
Tue Feb 8 15:52:00 EST 2011


If you have a host or network that goes with the port you want to
filter, try something like:

not \(src host 1.2.3.4 and src port 9000\) and not \(dst host 1.2.3.4
and dst port 9000\)

Bamm

On Tue, Feb 8, 2011 at 2:24 AM, Jason Haar <Jason.Haar at ...294...> wrote:
> Hi there
>
> I want to run a BPF filter that ignores all traffic to/from (say) any
> TCP server running on port 9000
>
> I could use "not port 9000" - but that will match
> 1.2.3.4:9000->5.6.7.8:80 - so I'd end up throwing away good data
>
> Is there any BPF skulduggery that allows me to say "not starting-port
> 9000" (ie it needs to be port 9000 IFF the first packet was a SYN
> packet). I guess not, as this is really a "session" issue and tcpdump is
> stateless - but it should be so easy to implement, and would probably
> allow people to correct around 99% of all BPF filters used out there
> today (ahem!)
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list