[Snort-users] help with regular expressions
giermo at ...8381...
Wed Apr 2 08:36:02 EST 2003
> Hi all!
> I just install snort-2.0.0rc2 and want snort to NOT report any alert
> from hosts a.a.a.a and host b.b.b.b of destiny c.c.c.c port dddd.
> Is this correct?:
> /usr/local/bin/snort -D -i eth1 -A fast -N -c
> /usr/local/snort/rules/snort.conf not \( \(src host a.a.a.a
> or src host
> b.b.b.b\) and dst host c.c.c.c and dst port dddd\)
That looks right to me.
> It seems OK, is working now. Just want to verify with you,
> and want to
> know if is possible to put that expression
> in the file snort.conf, and how?
There is no way to put that into snort.conf. You can, however, put it
in a text file (eg. filter.txt) and use the -F switch on the snort
snort -D -i eth1 -A fast -N -c /path/to/snort.conf -F
I am not sure how the syntax of the bpf changes when it is in a file,
but IIRC you can leave out the '\'s.
So filter.txt would be:
((src host a.a.a.a or src host b.b.b.b) and dst host c.c.c.c and dst
More information about the Snort-users