Snort mailing list archives
RE: help with regular expressions
From: SRH-Lists <giermo () 333tech com>
Date: Wed, 2 Apr 2003 10:33:51 -0600
Hi all! I just install snort-2.0.0rc2 and want snort to NOT report any alert from hosts a.a.a.a and host b.b.b.b of destiny c.c.c.c port dddd. Is this correct?: /usr/local/bin/snort -D -i eth1 -A fast -N -c /usr/local/snort/rules/snort.conf not \( \(src host a.a.a.a or src host b.b.b.b\) and dst host c.c.c.c and dst port dddd\)
That looks right to me.
It seems OK, is working now. Just want to verify with you, and want to know if is possible to put that expression in the file snort.conf, and how?
There is no way to put that into snort.conf. You can, however, put it in a text file (eg. filter.txt) and use the -F switch on the snort commandline. Like this: snort -D -i eth1 -A fast -N -c /path/to/snort.conf -F /path/to/filter.txt I am not sure how the syntax of the bpf changes when it is in a file, but IIRC you can leave out the '\'s. So filter.txt would be: ((src host a.a.a.a or src host b.b.b.b) and dst host c.c.c.c and dst port dddd) -steve ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: help with regular expressions SRH-Lists (Apr 02)