[Snort-users] Rule to pass ARP?
trodwell at ...10764...
Sun Dec 14 08:04:01 EST 2003
I would like to use SNORT to monitor my home Internet connection. Because
my connection is a cable-modem about 90% of the traffic is ARP. I know I
can pass all ARP traffic with an expression 'not arp' at the end of the
command line, but how might I do this using a rule (because it appears there
is no 'arp' type yet)? Ideally, I'd like to pass all ARP messages which
aren't searching for my IP address - is there something clever you can do
with pattern matching in the ARP packet's content?
Thanks in advance.
More information about the Snort-users