Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rules Question

From: "Roy Kidder" <rkidder () safelite net>
Date: Fri, 25 Feb 2005 08:25:33 -0500
I'm trying to write what I expected to be a simple set rules, but it's not
working for me. They look like this:

pass udp any any <> 10.0.0.10 53
pass udp any any <> 192.168.1.5 53
alert udp any any <> any 53 (msg: "DNS Query";)

What I expected was to alert on any DNS queries except those to 10.0.0.10 or
to 192.168.1.5. Instead, I'm seeing alerts on everything including those two
hosts. 

Any pointers on what I did wrong?

Thanks in advance,
Roy

 
Roy Kidder
Network Engineer
Safelite Glass Corp.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: