[Snort-users] help with regular expressions

Erek Adams erek at ...950...
Wed Apr 2 08:50:43 EST 2003

On Wed, 2 Apr 2003, Julio E. Gonzalez P. wrote:

> Hi all!
> I just install snort-2.0.0rc2 and want snort to NOT report any alert
> from hosts a.a.a.a and host b.b.b.b of destiny c.c.c.c port dddd.
> Is this correct?:
> /usr/local/bin/snort -D -i eth1 -A fast -N -c
> /usr/local/snort/rules/snort.conf not \( \(src host a.a.a.a or src host
> b.b.b.b\) and dst host c.c.c.c and dst port dddd\)

Yep.  That's what you want.

> It seems OK, is working now. Just want to verify with you, and want to
> know if is possible to put that expression
> in the file snort.conf, and how?

No, but you can place it into a file.  Put it in a file and then use:

	snort <options> -F bpf_file

or in snort.conf

	config bpf_file: bpf_file


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list