Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule to exclude a specific IP in Snort

From: "Juan M. Rivera" <jrivera () aupr edu>
Date: Thu, 9 Oct 2003 08:19:57 -0400
I’m trying to modify the following Snort Rule:

Alert ip any any -> any any (msg:”BAD-TRAFFIC same SCR/DST”; sameip;
reference:cve,CVE-1999-0016;
reference:url,www.cert.org/advisories/CA-1997-28.html;
classtype:bad-unknown; sid:527; rev:4;)

I’m getting an alert on just one ip address and I know what the problem is.
So I’m trying to modify this rule so that it takes into account any internal
ip address except 192.168.10.37.

Hoe do I modify the rule?


Juan M. Rivera Rivera
IT Director
American University of P.R.




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: