Snort mailing list archives
Re: Ignore multiple hosts with command line argumen ts
From: Phil Wood <cpw () lanl gov>
Date: Mon, 3 Jun 2002 15:08:55 -0600
To save on the ink you can: snort <options> not host '(1.1.1.1 or 2.1.1.1)' I prefer to use a file for my bpf filter. snort <optons> -F snort.bpf where snort.bpf might look like: ======================================= tcp and ( net ( 172.16.0.0/12 or 10.0.0.0/8 or 192.168.0/16 ) and port ( 21 or 22 or 23 or 25 or 110 ) and not host ( 172.16.1.1 or 192.168.254.1 ) ) and tcp[13] & 3 != 0 ======================================= A good explanation of how to code up a filter is in the man page for tcpdump(8). On Mon, Jun 03, 2002 at 02:55:48PM -0400, Tom Sevy wrote:
Yes you can. snort <options> not (host 1.1.1.1 or host 2.1.1.1) If starting snort from a script, add '\' as escape char before parens: snort <options> not \(host 1.1.1.1 or host 2.1.1.1\) -----Original Message----- From: McKim, Tim [mailto:McKim () nsf org] Sent: Monday, June 03, 2002 2:31 PM To: Snort-Users (E-mail) Subject: [Snort-users] Ignore multiple hosts with command line arguments I am using the command line snort <options> not host x.x.x.x to eliminate alerts from a host. My question is: Can you use the command line to ignore multiple hosts? If yes, what is the syntax? Tim McKim _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Ignore multiple hosts with command line argumen ts Tom Sevy (Jun 03)
- Re: Ignore multiple hosts with command line argumen ts Phil Wood (Jun 03)