Snort mailing list archives
Re: Snort rule setting
From: Eric Hines <eric.hines () appliedwatch com>
Date: Thu, 05 Oct 2006 17:37:23 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, so it sounds like what you want to do is filter out certain traffic that you don't care about sending to Snort. So what you want to do is use BPF filters, which Snort supports. e.g. $ snort 'not src or dst port 25' or $ snort 'not src or dst port 25 and not src or dst 192.168.0.1' or whatever you want to do.. This will prevent Snort from pattern matching against this traffic. You'll want to pick up a whitepaper or something on BPF filter usage.. Best Regards, Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Eric S. Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - -------------------------------------------------- Email: eric.hines () appliedwatch com Address: 1095 Pingree Road Suite 221 Crystal Lake, IL 60014 Tel: (877) 262-7593 ext:327 Local: (847) 854-5831 Fax: (847) 854-5106 Web: http://www.appliedwatch.com - -------------------------------------------------- Security Management for the Open Source Enterprise Greta.Ji () sungard com wrote:
Snort scans FW port on the Internet DMZ. It works fine. But I see there are many traffic. I would like to filter some of them out. Ex: Any smtp (25) to mail servers, I don't want to see, but I want to see DoS, overflow attempt,.. and port 25 sends to another system. Looks like I did not find right doc to read. I know how to add more rules, but how can I filter them out. Thank you for the help, --Greta ------------------------------------------------------------------------ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJYkj1va6QYTV0EMRAuVuAJ9Gtd+QS/N3wERDmzJEp83t8N8eiwCfewMS NMCfvFObZtla0ZJUlK54ymU= =6Wch -----END PGP SIGNATURE-----
Attachment:
eric.hines.vcf
Description:
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I can not see it Greta.Ji (Oct 05)
- Re: I can not see it Eric Hines (Oct 05)
- Re: I can not see it Greta.Ji (Oct 05)
- Snort rule setting Greta.Ji (Oct 05)
- Re: Snort rule setting Eric Hines (Oct 05)
- Re: I can not see it Esteban Ribicic (Oct 18)
- Re: I can not see it Greta.Ji (Oct 05)
- Re: I can not see it Patrick S. Harper (Oct 05)
- Re: I can not see it Greta.Ji (Oct 05)
- Re: I can not see it Patrick S. Harper (Oct 05)
- Re: I can not see it Nick Oliver (Oct 18)
- Re: I can not see it Greta.Ji (Oct 05)
- Re: I can not see it Eric Hines (Oct 05)
- <Possible follow-ups>
- Re: I can not see it Michael Scheidell (Oct 06)