CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

--fail is one of the most useful yet underutilized command line options available for rwfilter. In most cases, analysts use --fail when the flows that match a filter, and those that do not match, are of equal importance. That is the case in manifolds, which partition data into meaningful bins according to types of activity.

--fail also becomes useful when listing the flow characteristics we want (e.g. a list of ports) is longer than the list that we don't want. For example, consider trying to filter for all activity except SMTP, HTTP and HTTPS. The list of desired ports would then be:

--dport=0-24,26-79,81-442,444-65535.

but that list is much longer than the list of unwanted ports:

--dport=25,80,443

So we could formulate the query as a negative (note that we're using --fail instead
of --pass):

  rwfilter --start=2007/1/1:00 --end=2007/1/1:00 --type=in,inweb --dport=25,80,443
     --fail=nonSMTPandHTTPS.raw

Note

We can specify a --pass and a --fail target in the same query. Additionally, we
can specify an --all target that will receive all flows, whether they pass or fail
the filter.

  • No labels