Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problem with rule

From: "james" <the_saint_james () yahoo com>
Date: Wed, 13 Mar 2002 11:18:29 -0700
var RADIUS_EXT
[!216.126.128.165,!216.126.128.164,!66.19.192.195,!66.19.192.194,!216.126.13
6.244,\
!216.126.136.243,!216.126.128.11,!216.126.128.10,\
!216.126.128.9,!216.126.128.8,!192.5.41.40,!192.5.41.41,!216.126.128.8,!216.
126.128.9,\
!216.126.128.10,!216.126.128.11,!216.126.128.164,!216.126.128.165,!216.126.1
36.243,!66.19.192.194]

alert tcp $RADIUS_EXT any -> $RADIUS 1645:1646 (msg:"Radius External TCP
radius traffic not\
in allow table"; flags:A+;)
alert udp $RADIUS_EXT any -> $RADIUS 1645:1646 (msg:"Radius External UDP
radius traffic not\
in allow table";)


I have also tried doing  var RADIUS_EXT ![216.126.128.165, ect]

This does not seem to work, I am trying to alert on outside radius contacts
to our radius servers.
Still getting alerts from the IP's in $ RADIUS_EXT. The rule does alert on
contacts from radius ports.
What am I doing wrong ?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: