[Snort-users] bpf filter to filter on *starting* port?

Jason Wallace jason.r.wallace at ...11827...
Tue Feb 8 14:24:38 EST 2011


maybe adding "config ignore_ports: tcp 9000" to your conf file might
work. I'm not sure if this acts the same as a bpf or not.

On Tue, Feb 8, 2011 at 1:29 PM, Jason Haar <Jason.Haar at ...294...> wrote:
> On 02/09/2011 02:53 AM, Jason Wallace wrote:
>> not (host 1.2.3.4 and port 9000)
>>
>>
>> I think that would work. it will discard packets to/from 1.2.3.4 with
>> either a src or dst port of 9000.
>>
>>
>
> Sorry - I said "any host" - doing single hosts is doable (as you say) -
> it's the general rule that's beyond me
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list