BPF Filters
One of the best known network sniffer tcpdump introduced the concept of Berkley Packet Filters or BPF to filter out network traffic. The problem with a Ids is that it logs not millions but zillions of packets. We need a way to specify packets that meet our unique conditions. Snort supports BPF filters which make up everything we write after the options.
Snort –dev tcp
Here we use a simple bpf filter specifying that only tcp traffic should be displayed. Thus when we as usual ping to 70.0.0.3 we see no snort traffic. If we connect to the web server on 70.0.0.3 we see network traffic displayed by snort.
Snort –dev tcp and icmp
ERROR: OpenPcap() FSM compilation failed:
expression rejects all packets
PCAP command: tcp and icmp
The above filter gets rejected as we want packets that are tcp and icmp. Snort is smart enough to realize that this condition can never be realized and thus gives us an error.
Snort –dev tcp or icmp
What we should have used is the or instead of the and. Thus snort now captures all packets that are either tcp or icmp but not udp.
Snort –dev ip or arp
Earlier the arp packets did not get captured. Now all ip or arp packets are included in the display.
snort -dev dst 70.0.0.3
When we ping a host we get two packets one that we send and one a response. The dst specifies the ip destination field. Thus we now get only packet, the packet send by the machine with the ip address 70.0.0.3. In the same vein the src keyword represents the source ip address field.
snort -dev dst 70.0.0.3 and src 70.0.0.10
This gives us also one packet instead of two.
snort -dev host 70.0.0.3
Now we get two packets as host stands for either source and destination. This filter gives us all packets to and from ip address 70.0.0.3
snort -dev ether src 0:0:E8:DF:A4:66
What applies to ip address also applies to Ethernet address. One of our machines has the Ethernet address 0:0:E8:DF:A4:66. Thus we once again see only one packet. The ether host will give us two packets. The same rules for ip with the word ether added.
snort -dev dst port 80
The dst stands for destination port and 80 is the http port. This will give us all those packets where the destination port is 80. This means all the packets we are sending a web server. These packets will be the GET requests. When we web server sends us packets of data his source port will be 80 and the destination port number will be the one we send.
snort -dev src port 80
This will only display the packets send to us by a web server. These start with HTTP and the version number. This form does not differentiate between tcp and udp. Thus we can preface the src port with tcp src port 80 to capture only tcp traffic and not udp.
snort -dev less 100
The above checks for those packets whose combine length is less than 100 bytes. Thus ping gets through but the http request does not. The less has a corresponding greater 100 which will display those packets greater than size 100.
snort -dev ether broadcast
This prints only broadcast Ethernet packets that start with a destination address of all FF’s. In the same way we can have a IP multicast or broadcast.
snort -dev ip[0] = 0x45
The bpf filter stand out as we can access any of the bytes of the ip, tcp protocol. We write the name of the protocol and use the square brackets to access the byte number. In ip the first byte is 0x45 and this is what ip[0] contains.
snort -dev ip[2:2] = 40
The 3rd and 4th bytes of ip contain the length of the packet. The :2 stand for size and thus 2:2 give us access to bytes 3 and 4 of the ip header. We are looking for ip packets with no payload, only 20 bytes of ip and tcp. These are normally the syn and ack packets of a connection.
snort -dev ether[12] = 8 and ether[13] = 0
Using the ether array we can now access the 14 bytes of the Ethernet header. The last two 12 and 13 are the type of data following. 0800 is the type for ip. Thus the above rule will catch only ip packets and not arp. The best way to send an arp packet is by pinging to a non existent site.