Snort mailing list archives
Re: Negation while still using source ports.
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 10 Sep 2001 16:38:42 -0700 (PDT)
On Mon, 10 Sep 2001, Vjay LaRosa wrote:
I have been fooling around with this rule all day and I was wondering if some one could be so kind as to help me out. I want to ignore my DNS servers in this alert. Here is the rule. alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC TCP source port 53 to <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)
[...snip...] As others have pointed out, this is not doable with the current rules parser. Why don't you use a pass rule and then use the -o commandline option? Something like: pass udp $DNS_SERVERS 53 <> $HOME_NET any pass tcp $DNS_SERVERS 53 <> $HOME_NET any Or if worse comes to worse, you could use a BPF filter on the command line.... No warranty implied or intended. :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Negation while still using source ports. Vjay LaRosa (Sep 10)
- Re: Negation while still using source ports. Dragos Ruiu (Sep 10)
- NULL *froot ? Frank Reid (Sep 27)
- Re: Negation while still using source ports. Phil Wood (Sep 10)
- Re: Negation while still using source ports. Erek Adams (Sep 10)
- Re: Negation while still using source ports. Dragos Ruiu (Sep 10)