Snort mailing list archives
Re: IP Address's in Rule
From: Robby Desmond <rdesmond () els ucsb edu>
Date: Wed, 09 Oct 2002 10:43:06 -0700
At 12:57 PM 10/9/02 -0400, Mike McCabe wrote:
How do I include specific IP addresses in a rule. Say I want to have certain IP addresses not looked at and still want the rule to use EXTERNAL_NET... Something like: alert tcp [!X.Y.W.Z/32,!A.B.C.D/32,!E.F.G.H/32,$EXTERNAL_NET] any -> $HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+; offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:2;) But it doesn't seem to work... Any help would be appreciated... Mike
Well, the problem is this, the commas in a snort IP list are logical ORs. If $EXTERNAL_NET includes x.y.w.z or a.b.c.d or e.f.g.h, the alert will still fire. If I am wrong about this, I wish one of the snort people would tell me, because all of my past experience with snort has told me that this is the case.
Of course, it makes sense, since creating a rule that listed [f.b.m.c,r.t.d.u] would mean you wanted both of them checked, which is a logical OR.
-Robby Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP Address's in Rule Mike McCabe (Oct 09)
- Re: IP Address's in Rule Erek Adams (Oct 09)
- Re: IP Address's in Rule Matt Kettler (Oct 09)
- Re: IP Address's in Rule Robby Desmond (Oct 10)
- <Possible follow-ups>
- RE: IP Address's in Rule Slighter, Tim (Oct 09)
- Re: IP Address's in Rule Mike McCabe (Oct 09)