[Snort-users] Rule to pass ARP?

Toby Rodwell trodwell at ...10764...
Sun Dec 14 08:04:01 EST 2003


I would like to use SNORT to monitor my home Internet connection.  Because
my connection is a cable-modem about 90% of the traffic is ARP.  I know I
can pass all ARP traffic with an expression 'not arp' at the end of the
command line, but how might I do this using a rule (because it appears there
is no 'arp' type yet)?  Ideally, I'd like to pass all ARP messages which
aren't searching for my IP address - is there something clever you can do
with pattern matching in the ARP packet's content?

Thanks in advance.
Toby






More information about the Snort-users mailing list