Snort mailing list archives
Re: Rule to pass ARP?
From: Matt Kettler <mkettler () evi-inc com>
Date: Sun, 14 Dec 2003 12:25:04 -0500
At 11:03 AM 12/14/2003, Toby Rodwell wrote:
I would like to use SNORT to monitor my home Internet connection. Because my connection is a cable-modem about 90% of the traffic is ARP. I know I can pass all ARP traffic with an expression 'not arp' at the end of the command line, but how might I do this using a rule (because it appears there is no 'arp' type yet)? Ideally, I'd like to pass all ARP messages which aren't searching for my IP address - is there something clever you can do with pattern matching in the ARP packet's content?
First question... why do you need to pass arp messages in the first place... AFAIK, none of the standard rules examine arp packets, so given the RTN construction of snort a pass rule would not be any faster than no rule.
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule to pass ARP? Toby Rodwell (Dec 14)
- Re: Rule to pass ARP? Matt Kettler (Dec 14)
- RE: Rule to pass ARP? Toby Rodwell (Dec 14)
- Re: Rule to pass ARP? Matt Kettler (Dec 14)