[Snort-users] Rule to pass ARP?

Toby Rodwell trodwell at ...10764...
Sun Dec 14 16:07:01 EST 2003


You're right, I don't need to 'pass' ARP packets do I?  I assumed I would
need to because running 'snort -dv -c snort.conf' had a whole load of ARP
messages flashing past on the screen - but then I see that none are actually
logged.  What I should have asked is IF I wanted to log ARP packets, what
would I need to do?

And thanks for the quick reply!
Toby

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: 14 December 2003 17:25
To: Toby Rodwell; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rule to pass ARP?


At 11:03 AM 12/14/2003, Toby Rodwell wrote:
>I would like to use SNORT to monitor my home Internet connection.  Because
>my connection is a cable-modem about 90% of the traffic is ARP.  I know I
>can pass all ARP traffic with an expression 'not arp' at the end of the
>command line, but how might I do this using a rule (because it appears
there
>is no 'arp' type yet)?  Ideally, I'd like to pass all ARP messages which
>aren't searching for my IP address - is there something clever you can do
>with pattern matching in the ARP packet's content?

First question... why do you need to pass arp messages in the first
place... AFAIK, none of the standard rules examine arp packets, so given
the RTN construction of snort a pass rule would not be any faster than no
rule.


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003





More information about the Snort-users mailing list