Snort mailing list archives

Re: How to ignore scan from a host

From: "Adrian Voinea" <adrian () gds ro>
Date: Sat, 1 Jun 2002 22:14:40 +0300

Hello,

I am using snort 1.8.6 build 105, and I start it like this:
/usr/local/snort/bin/snort -C -A full -D -u nobody -g nobody -c
/usr/local/snort/etc/snort.conf  \
not host 81.18.71.114 and host 81.18.71.113 and host 213.154.145.145

My problem is that if I add more than three hosts to the 'not host' option,
snort gives me this error:

Jun  1 22:07:22 kiki snort: ERROR: OpenPcap() FSM compilation failed:
^Iexpression rejects all packets
Jun  1 22:07:22 kiki snort: FATAL ERROR: PCAP command: not host 81.18.71.114
and host 81.18.71.113 and host 81.18.71.115 and host 213.154.145.145

Is there a way to completely ignore a list of hosts except for the 'not
host' option? Why does snort give this error?
Thanks,
Adrian


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to ignore scan from a host Tony Wong (Apr 16)
- Re: How to ignore scan from a host Brian (Apr 16)
- Re: How to ignore scan from a host Erek Adams (Apr 16)
- <Possible follow-ups>
- RE: How to ignore scan from a host Sheahan, Paul (PCLN-NW) (Apr 16)
- Re: How to ignore scan from a host Adrian Voinea (Jun 01)