[Snort-users] VAR and IP lists
erek at ...577...
Sat Mar 30 20:11:05 EST 2002
On Sat, 30 Mar 2002, Subba Rao wrote:
> Some of the packets for the hosts in the VAR list (ex: 10.11.10.12) would
> still get alerted.
Ok, so you want to ignore some hosts and some packets but not all packets from
the enitre list of hosts?
> I am assuming you mean the preprocessor. The hosts in these VAR lists do not
> have any preprocessor related activities.
Ok. They are simply stand-alone then.
> As for portscans, I have included my routers in another large VAR list and
> seems to work well. However, I would like to know how do you deal with the
> same issue (portscans) using BPF filters.
It's the same style of filters that tcpdump users. Have a look at the
tcpdump man page for some exmaples.
snort <options> 'host X and port Y'
Such as that...
More information about the Snort-users