RE: Variables and Negation

[Erek Adams <erek () snort org>]

On Mon, 17 Mar 2003, Jason Luke wrote:

> I don't think $HTTP_SERVERS [!192.168.2.2/32] would help me because it
> would catch unwanted traffic destined for hosts on the Internet.  (e.g.
> if somebody was accessing some website on the Internet with /intranet it
> would trigger when I don't care.)  Some people use the proxy and some do
> not.  So I see traffic to random external IP's, and internal IP's,
> including my proxy.  I want the rule to only show me traffic destined to
> servers on my network, except for the proxy.

I think the best thing would be to use a BPF filter:

        not host 192.168.2.2/32 and not port 8080

That would ignore that one host and one port (change to whatever your
proxy port is) at the libpcap level, saving CPU cycles.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users