Snort mailing list archives

Ignore host

From: "David Scott" <davidscott () mtgroup com>
Date: Fri, 11 Apr 2003 09:19:15 -0500

I'm trying to ignore traffic from a particular host, but ONLY for a specific
set of rules (PORN.RULES). I want to use the syntax

alert tcp $EXTERNAL_NET $HTTP_PORTS -> [$HOME_NET,!10.195.1.195/32] any
(msg:"PORN alt.binaries.pictures.erotica";
content:"alt.binaries.pictures.erotica"; nocase; flags:A+; classtype:porn;
sid:1836; rev:1;)

Where I've added !10.195.1.195/32 to the standard $HOME_NET variable. Is
this acceptable? Is this the most efficient way to do this?


David Scott
Memphis Technology Associates
http://www.perimeterdefenses.com



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Ignore host David Scott (Apr 11)
- Re: Ignore host Erek Adams (Apr 11)
  - Re: Ignore host David Alonso De La Vega Tapage (Apr 11)
    - Re: Ignore host Erek Adams (Apr 11)
    - Re: Ignore host David Alonso De La Vega Tapage (Apr 11)
- Re: Ignore host Kenneth G. Arnold (Apr 11)