Snort mailing list archives
Rule help
From: "Gordon Cunningham" <gcunnin2 () bellsouth net>
Date: Mon, 27 Jan 2003 10:34:18 -0500
I'm not quite sure how to approach writing or modifying rules for this scenario. I have several hosts on my LAN that use SNMP polling for monitoring. If I use the default rulebase for "SNMP request udp", these hosts will continually trigger alerts. However, I'm not sure how to write the rule to exclude them but still limit the FROM addresses to my LAN. In other words, I'd like to get SNMP Request UDP alerts from any hosts on my LAN (which is a subset of the entire company network) OTHER than the few I've designated. How do I designate a subnet and exclude a few hosts from that subnet? I tried this - doesn't seem to work with 1.9.0: alert udp [$HOME_NET,!1.2.4.4,!2.3.4.5,!5.4.3.2] any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;) - Gordon ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thoughts on Snort-flex rule? Rich Adamson (Jan 26)
- Re: Thoughts on Snort-flex rule? Erek Adams (Jan 26)
- SNMP - SNORT Mike Koponick (Jan 26)
- RH 8.0 & SNMP Mike Koponick (Jan 26)
- Rule help Gordon Cunningham (Jan 27)
- Re: Rule help Erick Mechler (Jan 27)
- RE: Rule help Gordon Cunningham (Jan 27)
- Re: Rule help Erek Adams (Jan 27)
- SNMP - SNORT Mike Koponick (Jan 26)
- Re: Thoughts on Snort-flex rule? Erek Adams (Jan 26)