Using BPF Fileters

155

4.2.11 Log Null Output Module

This output plug in causes alert entries not to be logged. For example, you can

create a rule type to send SNMP traps without logging these messages. However, I

would not recommend using it. You should always have a record of alerts so that if you

want to take any action against intruders, you have some evidence of the IDS activities.

4.3 Using BPF Fileters

Berkley Packet Filter (BPF) is a mechanism of filtering data packets at the data

link layer level. These filters are extensively used with the tcpdump program to filter

data that you want to capture. You can use BPF filters with Snort as well. When using

BPF filters, Snort rules are applied only to those packets that pass BPF filters. This way

you can save some CPU time by not applying Snort rules to packets that are  of no inter 

est. For example, the BPF filters can be used to compare a particular byte from the start 

ing offset of the IP header, TCP header or UDP header.

You can place BPF filters in a file and use that file on the command line when

starting Snort. Let us suppose you want to apply Snort only on packets for which the

Type of Service (TOS) field in the IP header is not equal to 0. The TOS field is the sec 

ond byte in the IP header. For this purpose, you can create a file bpf.txt with the follow 

ing line in it:

ip[1] != 0

Number 1 is the offset starting from the IP header part of the data packet. The off 

set starts from 0, so byte number 1 is the TOS field. For the structure of the IP header,

refer to Appendix C.

After creating this file, you can use the following command line to start Snort to

enable the filter.

snort  F bpf.txt  c /opt/snort/etc/snort.conf

Only those packets in which the TOS field has some value other than 0 will reach

Snort detection engine. A TOS value equal to 0 shows normal data traffic and any other

value is used for high priority data packets.