Home page logo
/

snort logo Snort mailing list archives

Re: Different bpf filter for every multiple config used in snort
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 22 May 2013 10:21:11 -0400

On Wed, May 22, 2013 at 9:15 AM, C. L. Martinez <carlopmart () gmail com> wrote:
On Tue, May 21, 2013 at 12:17 PM, Russ Combs <rcombs () sourcefire com> wrote:
Probably not in that form.  I'm guessing you actually want to select a
policy by BPF, not the other way around.  What are you trying to do
beyond the network or  VLAN bindings available now?


Sorry for the late response Russ. I need to configure one snort
instance with two different configs:

a) One configuration needs to monitor lan 10.196.0.0/24 except 10.196.0.15 host
b) Another configuration needs to monitor only traffic that comes and
go to/from host 10.196.0.15.

Obviously, I can do this using two snort instances, but it will be
good to do with only one instance ...

Have you considered this setup with just one instance?

-- snort.conf is for 10.196.0.0/24
-- snort.conf has:

config binding: host.conf net 10.196.0.15

-- host.conf is for host only
-- use a BPF to limit traffic snort inspects to your network

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]