Snort mailing list archives
snort rules, IP addresses and not's
From: "Young, Eric" <thatguy () bumail bradley edu>
Date: Thu, 11 Oct 2001 09:55:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm working on doing some snort rules to slim down my alerts where I know that they need to be. For an example, let's say I'm getting a lot of large ICMP packet alerts to a certain box and I know why it's doing it and so I want to keep those alerts out of my alerts file. What I'd really like to do is this: alert icmp $EXTERNAL_NET any -> [!123.456.789.123,$HOME_NET] any (msg:"MISC Large ICMP Packet"; dsize: >800; reference:arachnids,246; lasstype:bad-unknown; sid:499; rev:1;) Note in the dest IP addr seciton here the combination of an excluded IP address and an accepted range of IP addresses. So, I'm saying I want this rule to fire unless the destination is 123.456.789.123. Is it possible to mix accepted and not-accepted IP addresses like this in a single snort rule? I think I could write a pass rule for this but I'm hesitant to do the "-o" reordering as I would rather catch my mistakes. I've looked through the snort docs & they don't really address this format. Thanks for any info! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO8Wy12DyAZzlGpYaEQLGUQCg+OwsTtgLnFGX1pvZcIiUg+3UpmAAnR/A VDu2kiK8hFUXEatRsiOWUML4 =+C9E -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort rules, IP addresses and not's Young, Eric (Oct 11)