[Snort-users] BPF Flters

Little Mitty lilmitty at ...125...
Mon Oct 28 13:45:09 EST 2002


I found the email to which I referred earlier.  It was originally posted by 
Phil Wood on 6/03/2002.

In this he said in part:

"To save on the ink you can:

  snort <options> not host '(1.1.1.1 or 2.1.1.1)'

I prefer to use a file for my bpf filter.

  snort <optons> -F snort.bpf

where snort.bpf might look like:

=======================================
tcp	and
	(
	net	(
			172.16.0.0/12
			or 10.0.0.0/8
			or 192.168.0/16
		)
	and
	port	(
			21
			or 22
			or 23
			or 25
			or 110
		)
        and not
	host	(
			172.16.1.1
			or 192.168.254.1
		)
	)
	and
	tcp[13] & 3 != 0
======================================= "


_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963





More information about the Snort-users mailing list