RE: help with regular expressions

[SRH-Lists <giermo () 333tech com>]

> Hi all!
> I just install snort-2.0.0rc2 and want snort to NOT report any alert 
> from hosts a.a.a.a and host b.b.b.b of destiny c.c.c.c port dddd.
>
> Is this correct?:
> /usr/local/bin/snort -D -i eth1 -A fast -N -c 
> /usr/local/snort/rules/snort.conf not \( \(src host a.a.a.a 
> or src host 
> b.b.b.b\) and dst host c.c.c.c and dst port dddd\)

That looks right to me.
 
> It seems OK, is working now. Just want to verify with you, 
> and want to 
> know if is possible to put that expression
> in the file snort.conf, and how?

There is no way to put that into snort.conf.  You can, however, put it
in a text file (eg. filter.txt) and use the -F switch on the snort
commandline.  

Like this:

snort -D -i eth1 -A fast -N -c /path/to/snort.conf -F
/path/to/filter.txt


I am not sure how the syntax of the bpf changes when it is in a file,
but IIRC you can leave out the '\'s.

So filter.txt would be:

((src host a.a.a.a or src host b.b.b.b) and dst host c.c.c.c and dst
port dddd)

-steve


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users