[Snort-users] Snort Filtering

Matt Kettler mkettler at ...4108...
Tue Apr 29 15:18:03 EDT 2003


At 05:25 PM 4/29/2003 -0400, Michale wrote:
>   But can I filter out the logging based on IP or Domain Name..

Impossible based on domain name. There's not enough time for snort to do 
expensively slow things like DNS lookups (which may take seconds, and snort 
should on average be done with a packet in under a millisecond if it wants 
to try to keep up).

By IP, configure your rule to use a negation, instead of "any" for the IP 
addresses.

I assume that since you're "logging everything".. you've got a rule like
alert IP any any -> any any (msg:"packet");

Make it
alert ip !111.222.333.444/32 any -> any any

You can also use BPF filters to bypass, or use pass rules with the -o 
option to snort.

However, my biggest question is, if you're logging *everything* or close to 
everything, why are you using snort at all? TCPDump is a much better tool 
if you're just grabbing packets based on patterns in the header. Snort adds 
value in it's ability to do fast string searches on the data, something 
you're not even using.






More information about the Snort-users mailing list