Snort mailing list archives

Previous By Date Next
Previous By Thread Next

rule question

From: "Taylor Lewick" <Taylor.Lewick () us fortis com>
Date: Thu, 25 Apr 2002 16:08:30 -0500
How do I rewrtie the following rule to either not alert the following message from a given ip to a given ip...  
I checked the documentation and the thing Im not sure about is the  $HOME_NET and $EX_NET variables in place of any...  
ie, How would I say, alert on anything from my $EXTERNAL_NET going to my $HOME_NET, unless it comes from 100.100.100.4 
going to 100.100.100.5

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content "|b0b5 cd80|";blah blah blah;)

would I write..

alert ip !100.100.100.4 $EXTERNAL_NET -> !100.100.100.5 $HOME_NET (msg:"SHELLCODE x86 setgid 0"; content "|b0b5 cd80|"; 
blah blah blah;)


Thanks,
Taylor

Taylor Lewick
Unix System Administrator
Fortis Benefits
816 881 6073

"Help Wanted.  Seeking Telepath..."
"You Know where to apply."

****************************************************************
                        Please Note
The information in this E-mail message is legally privileged
and confidential information intended only for the use of the
individual(s) named above. If you, the reader of this message,
are not the intended recipient, you are hereby notified that 
you should not further disseminate, distribute, or forward this
E-mail message. If you have received this E-mail in error,
please notify the sender. Thank you
*****************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: