[Snort-users] Rule to pass ARP?

Matt Kettler mkettler at ...4108...
Sun Dec 14 09:24:01 EST 2003


At 11:03 AM 12/14/2003, Toby Rodwell wrote:
>I would like to use SNORT to monitor my home Internet connection.  Because
>my connection is a cable-modem about 90% of the traffic is ARP.  I know I
>can pass all ARP traffic with an expression 'not arp' at the end of the
>command line, but how might I do this using a rule (because it appears there
>is no 'arp' type yet)?  Ideally, I'd like to pass all ARP messages which
>aren't searching for my IP address - is there something clever you can do
>with pattern matching in the ARP packet's content?

First question... why do you need to pass arp messages in the first 
place... AFAIK, none of the standard rules examine arp packets, so given 
the RTN construction of snort a pass rule would not be any faster than no rule.






More information about the Snort-users mailing list