System information
Filter Setup for Selected Probe
231
programmed to send mail whenever the honeypot receives packets on ports 23 or 80 from
a system outside of your network.
To verify the operation of your IDS, you would want to capture any relevant traffic
touching the honeypot, as well as any email traffic coming from the IDS. You are not
interested in filtering the honeypot for email traffic, nor are you interested in filtering the
IDS traffic for port numbers. Here is how to use a BRANCH to implement such rule logic:
When you chain multiple rules in a filter, packets are processed using the “first match
wins” method: If a packet matches any include or exclude rule in the filter, it is not
processed any further, and the rules that follow the match are never applied to the packet.
Applying Multiple Filters
In addition to applying multiple rules within filters, you can apply multiple filters to both
realtime and post-filtered captures. You can apply each filter alone or in any combination.
To apply multiple filters, check the “Use Multiple Filters” checkbox at the lower left.
Checking this box displays the Multiple Filters Selection list. In this example, 2 of the 11
user-created filters will be applied:
These rules filter for mail (smtp) on the IDS.
These rules filter for “honeypot” traffic on ports 23 or 80.