[Snort-sigs] newbie rule writer

Mark Brochu mbrochu at ...730...
Mon Aug 5 19:03:04 EDT 2002


Steve, 

Try looking into pass rules for snort.  You can make pass rules get parsed before all others so you you could write something like this:
pass icmp x.x.x.x any -> $HOME_NET any;
  ----- Original Message ----- 
  From: Steve Postma 
  To: snort-sigs at lists.sourceforge.net 
  Sent: Monday, August 05, 2002 3:01 PM
  Subject: [Snort-sigs] newbie rule writer


  I am trying to modify my rules so that any pings from the machine at 10.5.75.229 does not result in an alert. 

  I have tried the modification below, but am getting this error. snort snort: FATAL ERROR: ERROR icmp-info.rules (33): Illegal direction specifier: any"

   

  What is the correct syntax to remove one IP from a rule?

   

   

   

  alert icmp !10.5.75.229 any,$HOME_NET any -> $EXTERNAL_NET any 

   

  Thanks for your time, 

  Steve

   

   

   

   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020805/b1058ddb/attachment.html>


More information about the Snort-sigs mailing list