[Snort-sigs] Questions 101
mkettler at ...189...
Thu Apr 3 13:45:14 EST 2003
First you want IP instead of TCP (unless you really only want TCP traffic)
and just leave the content part out. I also excluded home_net as the
destination, so it will flag packets that arrive no matter what the
destination address is.. that part is up to you.
alert ip <IP>/32 any -> any any (msg:"LOCAL - traffic from
<IP>";classification:misc-activity; sid: 1000000; rev:1;)
At 03:20 PM 4/3/2003 -0500, Esler, Joel Contractor wrote:
>To create a rule to look for specific IP's regardless of content would be???
>alert tcp <IP> any -> $home_net any; (MSG:<IP>; content:""; nocase;
More information about the Snort-sigs