[Snort-users] bpf filter to filter on *starting* port?

Jason Haar Jason.Haar at ...294...
Tue Feb 8 16:36:47 EST 2011


On 02/09/2011 09:52 AM, Bamm Visscher wrote:
> If you have a host or network that goes with the port you want to
> filter, try something like:
No - I said "any host". I want to not record packets going to *any*
server running a TCP service on port 9000. This is all easy to do if you
have host ips.

I have come to the conclusion it isn't possible. If you are doing BPF
filters involving "standard" TCP services such as http, smtp, https, you
don't see this problem as they are all <1024, and the other port
involved in a TCP session is always >1024, so "not port 25" will
*always* just ignore TCP services running on port 25. However, if you
are wanting to do the same thing for services on ports >1024 (eg
proxies, arcserve, SQL), then a BPF filter *will have false matches* as
sometimes those port numbers will be used by other TCP sessions.

To fix would require BPF to become a bit more state-aware (like what
stream5 adds to snort) - which is probably beyond what it sets out to do.

eg

alert tcp any any  -> $HOME_NET 3306 (msg:"someone talking to MySQL
server";flow:to_server,established;...)

The flow:to_server ensures this never matches against 1.2.3.4:80 ->
$HOME_NET:3306 (assuming 1.2.3.4:80 is a webserver of course)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list