[Snort-users] How to ignore scan from a host

Adrian Voinea adrian at ...5989...
Sat Jun 1 19:29:02 EDT 2002


Hello,

I am using snort 1.8.6 build 105, and I start it like this:
/usr/local/snort/bin/snort -C -A full -D -u nobody -g nobody -c
/usr/local/snort/etc/snort.conf  \
not host 81.18.71.114 and host 81.18.71.113 and host 213.154.145.145

My problem is that if I add more than three hosts to the 'not host' option,
snort gives me this error:

Jun  1 22:07:22 kiki snort: ERROR: OpenPcap() FSM compilation failed:
^Iexpression rejects all packets
Jun  1 22:07:22 kiki snort: FATAL ERROR: PCAP command: not host 81.18.71.114
and host 81.18.71.113 and host 81.18.71.115 and host 213.154.145.145

Is there a way to completely ignore a list of hosts except for the 'not
host' option? Why does snort give this error?
Thanks,
Adrian





More information about the Snort-users mailing list