Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: threshold and suppress ??

From: Thomas Bechtold <Thomas () jpberlin de>
Date: Tue, 2 Mar 2004 14:52:17 +0100
On Tuesday 02 March 2004 13:49, Jason wrote:

If you want to ignore all alerts from a specific address, or to an
address, use bpf filters.

in /path/to/some/file add
not (src host x.y.z.ip and dst host z.x.y.ip)
and not (src host a.b.c.ip and dst port 12345)

etc etc, and run snort with the -F /path/to/some/file

Thats a really basic filter file, search the archives, people have posted
many times on how to use BPF filters.


and there are some infos about bpf-filters in the manpage from tcpdump. 

cheers thomas



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: