Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule to exclude a specific IP in Snort

From: Chris Green <cmg () sourcefire com>
Date: Thu, 09 Oct 2003 09:28:10 -0400
"Juan M. Rivera" <jrivera () aupr edu> writes:


I’m trying to modify the following Snort Rule:

Alert ip any any -> any any (msg:”BAD-TRAFFIC same SCR/DST”; sameip;
reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:4;)

I’m getting an alert on just one ip address and I know what the problem is.
So I’m trying to modify this rule so that it takes into account any internal
ip address except 192.168.10.37.


Don't bother with changing the rule anymore for handling that case.

suppress gen_id 1, sig_id 527, track by_src, ip 192.168.10.37

in snort 2.0.2. 
-- 
Chris Green <cmg () sourcefire com>
Warning: time of day goes back, taking countermeasures.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: