[Snort-users] Ignore multiple hosts with command line argumen ts

Phil Wood cpw at ...440...
Mon Jun 3 14:09:05 EDT 2002


To save on the ink you can:

  snort <options> not host '(1.1.1.1 or 2.1.1.1)'

I prefer to use a file for my bpf filter.

  snort <optons> -F snort.bpf

where snort.bpf might look like:

=======================================
tcp	and 
	(
	net	(
			172.16.0.0/12
			or 10.0.0.0/8
			or 192.168.0/16
		)
	and
	port	(
			21
			or 22
			or 23
			or 25
			or 110
		)
        and not
	host	(
			172.16.1.1
			or 192.168.254.1 
		)
	)
	and 
	tcp[13] & 3 != 0
=======================================

A good explanation of how to code up a filter is in the man page for tcpdump(8).

On Mon, Jun 03, 2002 at 02:55:48PM -0400, Tom Sevy wrote:
> Yes you can.
> 
> snort <options> not (host 1.1.1.1 or host 2.1.1.1)
> 
> If starting snort from a script, add '\' as escape char before parens:
> 
> snort <options> not \(host 1.1.1.1 or host 2.1.1.1\)
> 
> 
> -----Original Message-----
> From: McKim, Tim [mailto:McKim at ...5996...]
> Sent: Monday, June 03, 2002 2:31 PM
> To: Snort-Users (E-mail)
> Subject: [Snort-users] Ignore multiple hosts with command line arguments
> 
> 
> I am using the command line
> 
> snort <options> not host x.x.x.x to eliminate alerts from a host. My
> question is:
> 
> Can you use the command line to ignore multiple hosts?
> 
> If yes, what is the syntax?
> 
> Tim McKim 
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list