Home page logo

snort logo Snort mailing list archives

Re: Network Variables
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 02 May 2013 15:28:05 -0400

On 5/2/2013 15:08, James Lay wrote:
Nicely done Waldo.

thank ya kindly, sir!

it's my programmer/analyst aspect that comes out at times ;)

i hope it works for seth's network in the way he wants it to... my testing 
seemed to indicate that it did WAD (Work As Desired) on my networks and servers 
while googlebot was slurping about and other traffic was flowing... i saw 
traffic to/from those networks to/from that host but none to/from port 80 of 
that host...

we really just needed to see exactly what was wanted in a clear and concise 
statement rather than generalities like we get so many times :)


On 2013-05-02 13:00, waldo kitty wrote:
On 5/2/2013 13:23, Seth Dunn wrote:
So now my question comes, since you were wondering about the rule I
was using.
This is my rule::
not net and dst host   dst port 80 or not
net and dst host   dst port 80

ok, i'm going to try to break this down and interpret your wants one
section at a time...

By my understanding, and my desire to see happen is this.
Traffic from the network going to http at
should be ignored.

(net and (host and port 80))

Also, traffic from the network going to http at should be ignored.

(net and (host and port 80))

All other traffic is still monitored.

the above should qualify your two wants... now, let's streamline them
a bit to make it more legible...

first, let's combine the two source networks into one statement...

net ( or

now the destination host and destination port...

host and port 80

then combine those two lines...

net ( or and host and port 80

and lastly negate the whole thing by enclosing it in parens with
'not' on the outside...

not (net ( or and host and port

plug that line into your bpf with the double quotes or whatever you
need to wrap around it and see what happens ;)

FWIW: this was minimally tested on my network via tcpdump and
manually checking the pcap with wireshark...

1. using 'src net' and 'dst host' plus 'dst port' resulted in only
the traffic /to/ the server being ignored but all the traffic from
the server was seen...

2. removing the 'src' and 'dst' designators denotes all traffic in
both directions that fits the mask (if i can use that term to
describe this object)...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]