RE: Same source/dest

[Erek Adams <erek () snort org>]

On Wed, 2 Apr 2003, Brei, Matt wrote:

> How do I go about adding a BPF, and what is a BPF as long as I'm asking
> how to add one?  Thank you.

BPF == Berkely Packet Filter.  Libpcap supports the use of the BPF style
of filters to examine or limit traffic.

For example to only look at traffic going to or from host foo:

        'host foo'

> From foo to bar

        'src foo and dst bar'

Ignore SSH

        'not port 22'

Ignore SSH, but look at all other traffic from foo

        'src host foo and not port 22'

All traffic to/from bar, and only telnet traffic from foo

        'host bar and (src host foo and port 21)'

For more info on that, have a look at the tcpdump man page, as it gives a
much better explanation than I can.  Also have a look at this [0] for an
example of how to use it with Snort.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.theadamsfamily.net/~erek/snort/ignore.txt


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users