Re: Snort rule setting

[Eric Hines <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, so it sounds like what you want to do is filter out certain traffic
that you don't care about sending to Snort. So what you want to do is
use BPF filters, which Snort supports.

e.g.

$ snort 'not src or dst port 25'

or

$ snort 'not src or dst port 25 and not src or dst 192.168.0.1'

or whatever you want to do.. This will prevent Snort from pattern
matching against this traffic. You'll want to pick up a whitepaper or
something on BPF filter usage..



Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines () appliedwatch com
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
         60014
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise





Greta.Ji () sungard com wrote:
> Snort scans FW port on the Internet DMZ. It works fine. But I see
> there are many traffic. I would like to filter some of them out.
>  
> Ex: Any smtp (25) to mail servers, I don't want to see, but I want to
>     see DoS, overflow attempt,.. and port 25 sends to another system.
>  
> Looks like I did not find right doc to read. I know how to add more
> rules, but how can I filter them out.
>  
> Thank you for the help,
>  
> --Greta
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFJYkj1va6QYTV0EMRAuVuAJ9Gtd+QS/N3wERDmzJEp83t8N8eiwCfewMS
NMCfvFObZtla0ZJUlK54ymU=
=6Wch
-----END PGP SIGNATURE-----

Attachment: eric.hines.vcf
Description:

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users