Snort mailing list archives

RE: Sniffer Mode

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Mon, 12 May 2003 17:17:50 -0400

Jeff,  
 
Try using a BPF filter [0] on the Snort command line to limit the traffice
seen by Snort.  For example:  
 
    snort [some options] host webserver-ip and net isp-network  
 
- Christopher 
 
 
[0] See the "expression" section  http://www.tcpdump.org/tcpdump_man.html
<http://www.tcpdump.org/tcpdump_man.html>  

-----Original Message-----
From: Jeff Jirka [mailto:jjirka () qwest net]
Sent: Wednesday, May 07, 2003 11:21 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Sniffer Mode


My setup...
 
   - web server sitting on the Internet running Snort v.2.0
   - this is a DSL circuit
   - my web server uses a static address
   - the router to my ISP also has a static address
   - a firewall to my internal network is also on this segment using another
static addresses
 
I want to capture traffic between the web server and ISP but see everything
on the screen for it AND the traffic between my internal network and ISP. I
have tried configuring a rules.txt file at least 10 different ways to no
avail. Is there some way to only show the traffic on the screen for the web
server to ISP conversations?

Current thread:

Sniffer Mode Jeff Jirka (May 07)
- <Possible follow-ups>
- RE: Sniffer Mode L. Christopher Luther (May 12)