Snort mailing list archives

RE: Rule to exclude a specific IP in Snort

From: "Grime, Richard S" <richard.grime () imperial ac uk>
Date: Thu, 9 Oct 2003 14:20:25 +0100

Seeing as Erek always phrases it better, have a look at:

http://marc.theaimsgroup.com/?t=104923483400003&r=1&w=2

And

http://www.theadamsfamily.net/~erek/snort/ignore.txt

Richard

-----Original Message-----
From: Juan M. Rivera [mailto:jrivera () aupr edu] 
Sent: 09 October 2003 13:20
To: Snort Users List
Subject: [Snort-users] Rule to exclude a specific IP in Snort


I'm trying to modify the following Snort Rule:

Alert ip any any -> any any (msg:"BAD-TRAFFIC same SCR/DST"; sameip;
reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:4;)

I'm getting an alert on just one ip address and I know what the problem
is.
So I'm trying to modify this rule so that it takes into account any
internal
ip address except 192.168.10.37.

Hoe do I modify the rule?


Juan M. Rivera Rivera
IT Director
American University of P.R.




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
- EXTERNAL_NET definition in Snort Jukka Juslin (Oct 09)
  - Re: EXTERNAL_NET definition in Snort Erek Adams (Oct 09)
- Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 09)
    - Re: Rule to exclude a specific IP in Snort Chris Green (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Juan M. Rivera (Oct 14)
- <Possible follow-ups>
- RE: Rule to exclude a specific IP in Snort Hutchinson, Andrew (Oct 09)
  - RE: Rule to exclude a specific IP in Snort Jason (Oct 09)
- RE: Rule to exclude a specific IP in Snort Grime, Richard S (Oct 09)
- FW: Rule to exclude a specific IP in Snort grant (Oct 16)
  - Re: FW: Rule to exclude a specific IP in Snort Erek Adams (Oct 16)
- Re: Rule to exclude a specific IP in Snort Nordwall, Douglas J (Oct 20)