[Snort-sigs] newbie rule writer

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Aug 5 13:18:09 EDT 2002


 
try 
pass icmp 10.5.75.229 any -> any any (msg:"dont really need a message";
sid:1000000000; rev: 1;)
	-----Original Message-----
	From: Steve Postma [mailto:spostma at ...723...] 
	Sent: Monday, August 05, 2002 2:01 PM
	To: snort-sigs at lists.sourceforge.net
	Subject: [Snort-sigs] newbie rule writer
	
	
	I am trying to modify my rules so that any pings from the
machine at 10.5.75.229 does not result in an alert. 
	I have tried the modification below, but am getting this error.
snort snort: FATAL ERROR: ERROR icmp-info.rules (33): Illegal direction
specifier: any"
	 
	What is the correct syntax to remove one IP from a rule?
	 
	 
	 
	alert icmp !10.5.75.229 any,$HOME_NET any -> $EXTERNAL_NET any 
	 
	Thanks for your time, 
	Steve
	 
	 
	 
	 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020805/b8474cac/attachment.html>


More information about the Snort-sigs mailing list