Snort mailing list archives
Re: Snort Filtering
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 18:15:18 -0400
At 05:25 PM 4/29/2003 -0400, Michale wrote:
But can I filter out the logging based on IP or Domain Name..
Impossible based on domain name. There's not enough time for snort to do expensively slow things like DNS lookups (which may take seconds, and snort should on average be done with a packet in under a millisecond if it wants to try to keep up).
By IP, configure your rule to use a negation, instead of "any" for the IP addresses.
I assume that since you're "logging everything".. you've got a rule like alert IP any any -> any any (msg:"packet"); Make it alert ip !111.222.333.444/32 any -> any anyYou can also use BPF filters to bypass, or use pass rules with the -o option to snort.
However, my biggest question is, if you're logging *everything* or close to everything, why are you using snort at all? TCPDump is a much better tool if you're just grabbing packets based on patterns in the header. Snort adds value in it's ability to do fast string searches on the data, something you're not even using.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Filtering Michale (Apr 29)
- Re: Snort Filtering Matt Kettler (Apr 29)
- <Possible follow-ups>
- Re: Snort Filtering Neil Dickey (Apr 29)
- Re[2]: Snort Filtering Michale (Apr 29)
- Re: Re[2]: Snort Filtering twig les (Apr 29)
- Re[2]: Snort Filtering Michale (Apr 29)
- RE: Snort Filtering L. Christopher Luther (Apr 29)
- Re: Re[2]: Snort Filtering Neil Dickey (Apr 29)