Snort mailing list archives
Re: Rule header variables
From: Matt Kettler <mkettler () EVI-INC COM>
Date: Wed, 22 Jan 2003 19:41:04 -0500
First, this list has a lot of UNIX shell users who can't read HTML mail. Please be kind and post in plain text not HTML.
To answer your question, yes you can do that easily.IP addresses can be a single IP, a subnet, or a group of subnets, and any of the above can be negated.
so you probably want var HOME_CHECK_FOR_GAMBLING ![192.168.1.0/24,192.168.2.0/24] note that this is NOT the same as: var HOME_CHECK_FOR_GAMBLING_BAD [!192.168.1.0/24,!192.168.2.0/24] The second example is eqivalent to "any".Then you'd re-write your rule, using a SID greater than 1,000,000 to indicate that it's a local rule and use the new variable:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_CHECK_FOR_GAMBLING any (msg:"GAMBLING GAMES";content:"GAMBLING"; nocase; flow:to_client,established; sid:1020000; rev:1;)
And that should work. In the future you can read the docs http://www.snort.org/docs/writing_rules/ Specifically this would have been answered by reading the IP addresses section: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3 At 06:48 PM 1/22/2003 -0500, Jim Schwin wrote (de-htmled by me):
Hello All,Can a rule header specify all traffic except a few subnets or hosts? In this example can the source have variables to exclude a few subnets or hosts?alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GAMBLING GAMES";content:"GAMBLING"; nocase; flow:to_client,established; sid:20000; rev:1000;)thanks js
------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule header variables Jim Schwin (Jan 22)
- Re: Rule header variables Erick Mechler (Jan 22)
- <Possible follow-ups>
- Re: Rule header variables Matt Kettler (Jan 22)
- Re: Rule header variables Erick Mechler (Jan 22)
- Re: Rule header variables Matt Kettler (Jan 22)
- HTML E-Mail Rule Mike Koponick (Jan 22)
- Re: HTML E-Mail Rule Matt Kettler (Jan 22)
- RE: HTML E-Mail Rule Gordon Cunningham (Jan 22)
- Re: Rule header variables Erick Mechler (Jan 22)