Re: Minimize logging

[Phil Wood <cpw () lanl gov>]

On Thu, Jan 03, 2002 at 10:17:54PM -0800, Rinaldi Montessi wrote:
> Currently all outgoing traffic is being logged; e.g.
> http, smtp, news etc.  I want to only log traffic
> coming in.  This is a single user machine.  From what
> I've read the way to do this is to add the following
> to the /etc/snort/local.rules:
>
> pass EXTERNAL_NET any -> any any # this is on eth1

Outgoing traffic from your single host would be:

  pass ip <your_host_address> any -> any any

where <your_host_address> would be something like

However, I'd just use the -F option and set a filter like:

  dst host <your_host_address>

  192.168.1.2

and forget the -o.

(I hope I got this one right...)

Later,

> with a cable-modem connection
>
> and add -o to the init script.
>
> Is this correct?  I don't want to defeat the purpose
> of the app.
>
> Linux i686, 2.4.16 kernel, snort 1.8 
>
> Rinaldi
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Send your FREE holiday greetings online!
> http://greetings.yahoo.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users