[Snort-sigs] Questions 101

Matt Kettler mkettler at ...189...
Thu Apr 3 13:45:14 EST 2003


First you want IP instead of TCP (unless you really only want TCP traffic) 
and just leave the content part out. I also excluded home_net as the 
destination, so it will flag packets that arrive no matter what the 
destination address is.. that part is up to you.

alert ip <IP>/32 any -> any any (msg:"LOCAL - traffic from 
<IP>";classification:misc-activity; sid: 1000000; rev:1;)


At 03:20 PM 4/3/2003 -0500, Esler, Joel  Contractor wrote:
>To create a rule to look for specific IP's regardless of content would be???
>
>alert tcp <IP> any -> $home_net any; (MSG:<IP>; content:""; nocase;
>classification:misc-activity;)





More information about the Snort-sigs mailing list