Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Rule to pass ARP?

From: "Toby Rodwell" <trodwell () iee org>
Date: Mon, 15 Dec 2003 00:06:04 -0000
You're right, I don't need to 'pass' ARP packets do I?  I assumed I would
need to because running 'snort -dv -c snort.conf' had a whole load of ARP
messages flashing past on the screen - but then I see that none are actually
logged.  What I should have asked is IF I wanted to log ARP packets, what
would I need to do?

And thanks for the quick reply!
Toby

-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: 14 December 2003 17:25
To: Toby Rodwell; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rule to pass ARP?


At 11:03 AM 12/14/2003, Toby Rodwell wrote:

I would like to use SNORT to monitor my home Internet connection.  Because
my connection is a cable-modem about 90% of the traffic is ARP.  I know I
can pass all ARP traffic with an expression 'not arp' at the end of the
command line, but how might I do this using a rule (because it appears

there

is no 'arp' type yet)?  Ideally, I'd like to pass all ARP messages which
aren't searching for my IP address - is there something clever you can do
with pattern matching in the ARP packet's content?


First question... why do you need to pass arp messages in the first
place... AFAIK, none of the standard rules examine arp packets, so given
the RTN construction of snort a pass rule would not be any faster than no
rule.


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: