[Snort-users] help with regular expressions

SRH-Lists giermo at ...8381...
Wed Apr 2 08:36:02 EST 2003


> Hi all!
> I just install snort-2.0.0rc2 and want snort to NOT report any alert 
> from hosts a.a.a.a and host b.b.b.b of destiny c.c.c.c port dddd.
> 
> Is this correct?:
> /usr/local/bin/snort -D -i eth1 -A fast -N -c 
> /usr/local/snort/rules/snort.conf not \( \(src host a.a.a.a 
> or src host 
> b.b.b.b\) and dst host c.c.c.c and dst port dddd\)

That looks right to me.
 
> It seems OK, is working now. Just want to verify with you, 
> and want to 
> know if is possible to put that expression
> in the file snort.conf, and how?

There is no way to put that into snort.conf.  You can, however, put it
in a text file (eg. filter.txt) and use the -F switch on the snort
commandline.  

Like this:

snort -D -i eth1 -A fast -N -c /path/to/snort.conf -F
/path/to/filter.txt


I am not sure how the syntax of the bpf changes when it is in a file,
but IIRC you can leave out the '\'s.

So filter.txt would be:

((src host a.a.a.a or src host b.b.b.b) and dst host c.c.c.c and dst
port dddd)

-steve




More information about the Snort-users mailing list