[Snort-sigs] Inverted list of IPs

Martin Olsson elof at ...1288...
Tue Oct 28 08:22:18 EST 2003


I have this rule:
alert tcp any any -> any 80 (foo bar...)

Now I want to exclude two sourceaddresses from it. Can I simply do it like
this?

alert tcp ![1.1.1.1/32,2.2.2.2/32] any -> any 80 (foo bar...)


..or will a packet from 2.2.2.2 match the rule anyhow since 2.2.2.2 !=
1.1.1.1?

/Martin





More information about the Snort-sigs mailing list