Snort mailing list archives
RE: Rule to pass ARP?
From: "Toby Rodwell" <trodwell () iee org>
Date: Mon, 15 Dec 2003 00:06:04 -0000
You're right, I don't need to 'pass' ARP packets do I? I assumed I would need to because running 'snort -dv -c snort.conf' had a whole load of ARP messages flashing past on the screen - but then I see that none are actually logged. What I should have asked is IF I wanted to log ARP packets, what would I need to do? And thanks for the quick reply! Toby -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: 14 December 2003 17:25 To: Toby Rodwell; snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule to pass ARP? At 11:03 AM 12/14/2003, Toby Rodwell wrote:
I would like to use SNORT to monitor my home Internet connection. Because my connection is a cable-modem about 90% of the traffic is ARP. I know I can pass all ARP traffic with an expression 'not arp' at the end of the command line, but how might I do this using a rule (because it appears
there
is no 'arp' type yet)? Ideally, I'd like to pass all ARP messages which aren't searching for my IP address - is there something clever you can do with pattern matching in the ARP packet's content?
First question... why do you need to pass arp messages in the first place... AFAIK, none of the standard rules examine arp packets, so given the RTN construction of snort a pass rule would not be any faster than no rule. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.551 / Virus Database: 343 - Release Date: 11/12/2003 ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule to pass ARP? Toby Rodwell (Dec 14)
- Re: Rule to pass ARP? Matt Kettler (Dec 14)
- RE: Rule to pass ARP? Toby Rodwell (Dec 14)
- Re: Rule to pass ARP? Matt Kettler (Dec 14)