[Snort-users] Snort Filtering
mkettler at ...4108...
Tue Apr 29 15:18:03 EDT 2003
At 05:25 PM 4/29/2003 -0400, Michale wrote:
> But can I filter out the logging based on IP or Domain Name..
Impossible based on domain name. There's not enough time for snort to do
expensively slow things like DNS lookups (which may take seconds, and snort
should on average be done with a packet in under a millisecond if it wants
to try to keep up).
By IP, configure your rule to use a negation, instead of "any" for the IP
I assume that since you're "logging everything".. you've got a rule like
alert IP any any -> any any (msg:"packet");
alert ip !111.222.333.444/32 any -> any any
You can also use BPF filters to bypass, or use pass rules with the -o
option to snort.
However, my biggest question is, if you're logging *everything* or close to
everything, why are you using snort at all? TCPDump is a much better tool
if you're just grabbing packets based on patterns in the header. Snort adds
value in it's ability to do fast string searches on the data, something
you're not even using.
More information about the Snort-users