[Snort-sigs] Inverted list of IPs

Nick Duda nduda at ...1896...
Tue Oct 28 08:30:18 EST 2003


I use that method and it works for me.

-----Original Message-----
From: Martin Olsson [mailto:elof at ...1288...] 
Sent: Tuesday, October 28, 2003 11:21 AM
To: snort-sigs mailinglist
Subject: [Snort-sigs] Inverted list of IPs


I have this rule:
alert tcp any any -> any 80 (foo bar...)

Now I want to exclude two sourceaddresses from it. Can I simply do it
like
this?

alert tcp ![1.1.1.1/32,2.2.2.2/32] any -> any 80 (foo bar...)


..or will a packet from 2.2.2.2 match the rule anyhow since 2.2.2.2 !=
1.1.1.1?

/Martin



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list