Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ignore multiple hosts with command line argumen ts

From: Phil Wood <cpw () lanl gov>
Date: Mon, 3 Jun 2002 15:08:55 -0600
To save on the ink you can:

  snort <options> not host '(1.1.1.1 or 2.1.1.1)'

I prefer to use a file for my bpf filter.

  snort <optons> -F snort.bpf

where snort.bpf might look like:

=======================================
tcp     and 
        (
        net     (
                        172.16.0.0/12
                        or 10.0.0.0/8
                        or 192.168.0/16
                )
        and
        port    (
                        21
                        or 22
                        or 23
                        or 25
                        or 110
                )
        and not
        host    (
                        172.16.1.1
                        or 192.168.254.1 
                )
        )
        and 
        tcp[13] & 3 != 0
=======================================

A good explanation of how to code up a filter is in the man page for tcpdump(8).

On Mon, Jun 03, 2002 at 02:55:48PM -0400, Tom Sevy wrote:

Yes you can.

snort <options> not (host 1.1.1.1 or host 2.1.1.1)

If starting snort from a script, add '\' as escape char before parens:

snort <options> not \(host 1.1.1.1 or host 2.1.1.1\)


-----Original Message-----
From: McKim, Tim [mailto:McKim () nsf org]
Sent: Monday, June 03, 2002 2:31 PM
To: Snort-Users (E-mail)
Subject: [Snort-users] Ignore multiple hosts with command line arguments


I am using the command line

snort <options> not host x.x.x.x to eliminate alerts from a host. My
question is:

Can you use the command line to ignore multiple hosts?

If yes, what is the syntax?

Tim McKim 

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: