Snort mailing list archives

Re: rules

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 28 Apr 2004 16:11:37 -0400

At 12:08 PM 4/28/2004, Macaluso Aldo wrote:

i downloaded the rules from snort www.
I have a rules for snmp that matches more time "snmp pubblic access udp"
I would like to write a rule (in another file) that pass this one if the
source address is my home network, but alert for External network.


Question:

Why not just write the first rule to use EXTERNAL_NET as a source, anddefine EXTERNAL_NET to be !$HOME_NET instead of "any".





-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g

Get certified on the hottest thing ever to hit the market... Oracle 10g.Take an Oracle 10g class now, and we'll give you the exam FREE.http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rules Macaluso Aldo (Apr 28)
- Re: rules Matt Kettler (Apr 28)
- Re: rules Alejandro Flores (Apr 28)