[Snort-users] VPN traffic
twhipp at ...63...
Thu Aug 3 04:33:46 EDT 2000
Just to chip in, what I think would be very useful is the ability to pass
parameters to included configuration files. I currently have an audit file
that I include when debugging hosts (basically six rules to log any traffic
inbound or outbound) but whenever I use it I have to edit the variable at
the top (and I'm not clear if I can include it multiple times without
changing the variable name).
What I would really like to do is something like:
include audit_host.rul xxx.xxx.xxx.xxx/32
I can also see this being very useful for monitoring multiple subnets
(particually if you could pass multiple args).
Mind you I suspect this would be a lot of work and I haven't looked at the
config parsing code yet.
If you do implement an any protocol, would that enable snort to log
protocols which it doesn't understand or would any be a synonym for
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bill
Sent: 02 August 2000 22:28
To: fyodor at ...123...
Cc: Bob Van Cleef; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] VPN traffic
I would vote for an any option. There are times when I want to watch
everything from or to a certain place.
> ~ :alert ICMP 126.96.36.199/32 any -> any any (msg: "NS10 Outbound
> ~ :alert ICMP any any -> 188.8.131.52/32 any (msg: "NS10 Inbound
> ~ :
> ~ :Two questions:
> ~ :
> ~ : - Is there a way to say "any" for the protocol?
> ~ :
> if there's a real need in that, it could be implemented (not really sooon
> though, I've got around 4 snort-related tasks pending in my todo list:))
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Senior IT Manager
billp at ...60...
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users