Snort mailing list archives

Re: Snort Filtering

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 18:15:18 -0400


At 05:25 PM 4/29/2003 -0400, Michale wrote:

  But can I filter out the logging based on IP or Domain Name..

Impossible based on domain name. There's not enough time for snort to doexpensively slow things like DNS lookups (which may take seconds, and snortshould on average be done with a packet in under a millisecond if it wantsto try to keep up).

By IP, configure your rule to use a negation, instead of "any" for the IPaddresses.


I assume that since you're "logging everything".. you've got a rule like
alert IP any any -> any any (msg:"packet");

Make it
alert ip !111.222.333.444/32 any -> any any

You can also use BPF filters to bypass, or use pass rules with the -ooption to snort.

However, my biggest question is, if you're logging *everything* or close toeverything, why are you using snort at all? TCPDump is a much better toolif you're just grabbing packets based on patterns in the header. Snort addsvalue in it's ability to do fast string searches on the data, somethingyou're not even using.





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Filtering Michale (Apr 29)
- Re: Snort Filtering Matt Kettler (Apr 29)
- <Possible follow-ups>
- Re: Snort Filtering Neil Dickey (Apr 29)
  - Re[2]: Snort Filtering Michale (Apr 29)
    - Re: Re[2]: Snort Filtering twig les (Apr 29)
- RE: Snort Filtering L. Christopher Luther (Apr 29)
- Re: Re[2]: Snort Filtering Neil Dickey (Apr 29)