Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BPF Flters

From: "Little Mitty" <lilmitty () hotmail com>
Date: Mon, 28 Oct 2002 16:44:36 -0500
I found the email to which I referred earlier. It was originally posted by Phil Wood on 6/03/2002. 

In this he said in part:

"To save on the ink you can:

 snort <options> not host '(1.1.1.1 or 2.1.1.1)'

I prefer to use a file for my bpf filter.

 snort <optons> -F snort.bpf

where snort.bpf might look like:

=======================================
tcp     and
        (
        net     (
                        172.16.0.0/12
                        or 10.0.0.0/8
                        or 192.168.0/16
                )
        and
        port    (
                        21
                        or 22
                        or 23
                        or 25
                        or 110
                )
       and not
        host    (
                        172.16.1.1
                        or 192.168.254.1
                )
        )
        and
        tcp[13] & 3 != 0
======================================= "


_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: