Custom Snort Rule Problem

[Ryan Martin <rmartin () internet2 edu>]

Hello everyone,

I've been working on some rules lately and can't figure out why the rule below won't work.  It won't trigger on 
anything, even when I purposefully put traffic out there that should trigger it.

I've read the snort manual sections for the structure of a rule and IP Variables/IP Lists on how to exclude IP 
addresses from a block of IP's and such.  I also dug up some other online resources.  I'm not sure what the issue is, 
but if anyone out there could point me in the right direction on figuring out what my issue is, I'd be greatly 
appreciative.

Rule:

alert udp [$HOME_NET,![$DNS_SERVERS]] any -> [$EXTERNAL_NET,![8.8.8.8,8.8.4.4]] 53 (msg:"BLAH BLAH BLAH"; class 
type:trojan-activity; sid:1000006; rev:1;)

It is the intent of the rule to trigger on all devices (but not the DNS servers) using a DNS server that we did not 
approve.  Google's DNS servers are in there because we use them on some of our other machines.  I'll worry about the 
DNS TCP traffic rule once I get this one figured out.

Thanks for any help,

-Ryan

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!