Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule to pass ARP?

From: Matt Kettler <mkettler () evi-inc com>
Date: Sun, 14 Dec 2003 12:25:04 -0500
At 11:03 AM 12/14/2003, Toby Rodwell wrote:

I would like to use SNORT to monitor my home Internet connection.  Because
my connection is a cable-modem about 90% of the traffic is ARP.  I know I
can pass all ARP traffic with an expression 'not arp' at the end of the
command line, but how might I do this using a rule (because it appears there
is no 'arp' type yet)?  Ideally, I'd like to pass all ARP messages which
aren't searching for my IP address - is there something clever you can do
with pattern matching in the ARP packet's content?
First question... why do you need to pass arp messages in the first place... AFAIK, none of the standard rules examine arp packets, so given the RTN construction of snort a pass rule would not be any faster than no rule. 




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: