[Snort-users] VAR and IP lists

Erek Adams erek at ...577...
Sat Mar 30 20:11:05 EST 2002


On Sat, 30 Mar 2002, Subba Rao wrote:

[...snip...]

> Some of the packets for the hosts in the VAR list (ex: 10.11.10.12) would
> still get alerted.

Ok, so you want to ignore some hosts and some packets but not all packets from
the enitre list of hosts?

[...snip...]

> I am assuming you mean the preprocessor. The hosts in these VAR lists do not
> have any preprocessor related activities.

Ok.  They are simply stand-alone then.

> As for portscans, I have included my routers in another large VAR list and
> seems to work well. However, I would like to know how do you deal with the
> same issue (portscans) using BPF filters.

It's the same style of filters that tcpdump users.  Have a look at the
tcpdump man page for some exmaples.

snort <options> 'host X and port Y'

Such as that...

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list