|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » What is BPF?
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
What is BPF?
Posted by matta on March 14, 2005 13:39:31
Hi, I have recently setup my SNORT IDS, (FC3\SNORT\APACHE\BASE\MYSQL\PHP0 and when browsing around and found some articles regarding the use of BPF. From what I understand this filters packets so that your IDS doesn't have to scan every packet.
When I configured snort.conf there were filters in there so that the signatures only appied to certain addresses? So is BPF still relevant?
Thanks
Matt |
|
Posted by maverick on March 15, 2005 05:12:03
Yes. Using BPF to filter traffic going into snort will require it to run less packets through its rulebase and preprocessors, thus making it perform better. By changing rules (or setting config variables) to only alert for specific IP ranges, you will make less alerts for yourself, but snort still has to process each packet. |
|
Posted by nigel on March 16, 2005 09:15:06
BPF is the "Berkeley Packet Filter"
You will find this on BSD and SunOS boxes (dont recall if it is on Slowlaris or not), if you have one "man bpf" will give you more information. Otherwise, if you are Lunix or Windows impaired you can take a look an an online man page like this http://www.daemon-systems.org/man/bpf.4.html
What you can do, is use a filter that uses BPF style syntax to "filter out" traffic you do not want to look at if you so desire. You should also look at "man tcpdump" as well since this is probably more akin to what you seek and gives you an idea of filter syntax. |
|
|
|
|
|
