[Snort-users] VAR and IP lists

Erek Adams erek at ...577...
Sat Mar 30 20:11:05 EST 2002

On Sat, 30 Mar 2002, Subba Rao wrote:


> Some of the packets for the hosts in the VAR list (ex: would
> still get alerted.

Ok, so you want to ignore some hosts and some packets but not all packets from
the enitre list of hosts?


> I am assuming you mean the preprocessor. The hosts in these VAR lists do not
> have any preprocessor related activities.

Ok.  They are simply stand-alone then.

> As for portscans, I have included my routers in another large VAR list and
> seems to work well. However, I would like to know how do you deal with the
> same issue (portscans) using BPF filters.

It's the same style of filters that tcpdump users.  Have a look at the
tcpdump man page for some exmaples.

snort <options> 'host X and port Y'

Such as that...

Erek Adams

More information about the Snort-users mailing list