snort rules, IP addresses and not's

["Young, Eric" <thatguy () bumail bradley edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm working on doing some snort rules to slim down my alerts where I know
that they need to be.

For an example, let's say I'm getting a lot of large ICMP packet alerts to a
certain box and I know why it's doing it and so I want to keep those alerts
out of my alerts file.

What I'd really like to do is this:

alert icmp $EXTERNAL_NET any -> [!123.456.789.123,$HOME_NET] any (msg:"MISC
Large ICMP Packet"; dsize: >800; reference:arachnids,246;
lasstype:bad-unknown; sid:499; rev:1;)


Note in the dest IP addr seciton here the combination of an excluded IP
address and an accepted range of IP addresses.  So, I'm saying I want this
rule to fire unless the destination is 123.456.789.123.  Is it possible to
mix accepted and not-accepted IP addresses like this in a single snort rule?
I think I could write a pass rule for this but I'm hesitant to do the "-o"
reordering as I would rather catch my mistakes.

I've looked through the snort docs & they don't really address this format.

Thanks for any info!


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO8Wy12DyAZzlGpYaEQLGUQCg+OwsTtgLnFGX1pvZcIiUg+3UpmAAnR/A
VDu2kiK8hFUXEatRsiOWUML4
=+C9E
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users