[Snort-users] Ignoring more that one host completely

Wirth, Jeff WirthJe at ...4876...
Wed Aug 14 06:14:02 EDT 2002


From: Srijith.K [mailto:srijith at ...2240...]

> The snort FAQ states that if I need to completely
> ignore packets from a particular IP address I can use
> the BPF style filter at command line like:
> 
> $ snort <commandline options> not host 192.168.0.1
> 
> My question is, what if I need to ignore more that one IP address?
> How do I pass it in command line? Is it -
> 
> $ snort <commandline options> not host 192.168.0.1 
> 192.168.10.1 192.168.12.1
> 
> is the sepetator between the IP addresses ' ' or is it something else?

a separator is not used with BPF, you need to add a *condition*...."and",
"or", "not".  One of the following should work:..

$ snort <options> not (host a.a.a.a or host b.b.b.b or host c.c.c.c)
$ snort <options> not host a.a.a.a or not host b.b.b.b or not host c.c.c.c


- Jeff




More information about the Snort-users mailing list