Snort mailing list archives
RE: Rule to exclude a specific IP in Snort
From: "Grime, Richard S" <richard.grime () imperial ac uk>
Date: Thu, 9 Oct 2003 14:20:25 +0100
Seeing as Erek always phrases it better, have a look at: http://marc.theaimsgroup.com/?t=104923483400003&r=1&w=2 And http://www.theadamsfamily.net/~erek/snort/ignore.txt Richard -----Original Message----- From: Juan M. Rivera [mailto:jrivera () aupr edu] Sent: 09 October 2003 13:20 To: Snort Users List Subject: [Snort-users] Rule to exclude a specific IP in Snort I'm trying to modify the following Snort Rule: Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:4;) I'm getting an alert on just one ip address and I know what the problem is. So I'm trying to modify this rule so that it takes into account any internal ip address except 192.168.10.37. Hoe do I modify the rule? Juan M. Rivera Rivera IT Director American University of P.R. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)
- Re: EXTERNAL_NET definition in Snort Erek Adams (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 14)
- RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- <Possible follow-ups>
- RE: Rule to exclude a specific IP in Snort Hutchinson, Andrew (Oct 09)
- RE: Rule to exclude a specific IP in Snort Jason (Oct 09)
- RE: Rule to exclude a specific IP in Snort Grime, Richard S (Oct 09)
- FW: Rule to exclude a specific IP in Snort grant (Oct 16)
- Re: FW: Rule to exclude a specific IP in Snort Erek Adams (Oct 16)
- Re: Rule to exclude a specific IP in Snort Nordwall, Douglas J (Oct 20)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)