[Snort-users] Snort rule setting

Eric Hines eric.hines at ...8860...
Thu Oct 5 18:37:23 EDT 2006

Hash: SHA1

OK, so it sounds like what you want to do is filter out certain traffic
that you don't care about sending to Snort. So what you want to do is
use BPF filters, which Snort supports.


$ snort 'not src or dst port 25'


$ snort 'not src or dst port 25 and not src or dst'

or whatever you want to do.. This will prevent Snort from pattern
matching against this traffic. You'll want to pick up a whitepaper or
something on BPF filter usage..

Best Regards,

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC

- --------------------------------------------------

Email:   eric.hines at ...8860...
Address: 1095 Pingree Road
         Suite 221
         Crystal Lake, IL
Tel:     (877) 262-7593 ext:327
Local:   (847) 854-5831
Fax:     (847) 854-5106
Web:     http://www.appliedwatch.com

- --------------------------------------------------
Security Management for the Open Source Enterprise

Greta.Ji at ...4682... wrote:
> Snort scans FW port on the Internet DMZ. It works fine. But I see
> there are many traffic. I would like to filter some of them out.
> Ex: Any smtp (25) to mail servers, I don't want to see, but I want to
>     see DoS, overflow attempt,.. and port 25 sends to another system.
> Looks like I did not find right doc to read. I know how to add more
> rules, but how can I filter them out.
> Thank you for the help,
> --Greta
> ------------------------------------------------------------------------
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: eric.hines.vcf
Type: text/x-vcard
Size: 372 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20061005/661cc417/attachment.vcf>

More information about the Snort-users mailing list