[Snort-users] BPF Filters howto
lists at ...3351...
Mon Oct 28 08:30:08 EST 2002
I understand your syntax, now how do I get snort to use. Based on the
documentation, would I drop your line below to a text file and then call
that text file with the -F option when starting Snort?
On Mon, 2002-10-28 at 08:21, Hutchinson, Andrew wrote:
As a reference, I'd recommend Northcutt's book "Network Intrusion
Detection: An Analyst's Handbook", 2nd ed. It does a pretty good job of
explaining BPF filters, from the general to the very specific (logical
ANDing to examine specific bits or bit combinations, etc.).
For what you want to do, perhaps this will help:
Lets say that you want to ignore traffic from the 192.168.10.0/24
network destined for port 22:
'!(src net 192.168.10.0/24 && dst port 22)'
You just define the traffic that you want to ignore (in this case,
anything that is both from 192.168.10.0/24 and destined for port 22),
and then negate it with the logical not (!).
Hope that helps.
Vanderbilt University Medical Center
From: Ben Keepper [mailto:lists at ...3351...]
Sent: Monday, October 28, 2002 10:08 AM
Subject: [Snort-users] BPF Filters howto
I am trying to figure out how to use BPF filters to ignore certain
traffic with Snort.
Other than the Snort manpage, documentation on how to use BPF filters
seems to be scarce.
I see this in the Snort FAQ, but it doesn't seem to be complete.
"Use bpf on the commandline to ignore a host (for example):
$ snort <commandline options> not host 192.168.0.1"
Also I would like to ignore traffic on specific destination port from a
Can anybody help with some documentation or a quick howto.
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
*** Paladin Security Systems scanned this email for malicious content
*** IMPORTANT: Do not open attachments from unrecognized senders ***
More information about the Snort-users