[Snort-sigs] exclude IP from a rule

Nick Duda nduda at ...1896...
Tue Sep 23 04:52:02 EDT 2003

I have a sig (below) that grabs SNMP traffic. How can I exclude 1 internal IP from the rule?
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)

thanks in advanced

Nick Duda, CCSA, Security+
Systems Administrator
*  Email: nduda at ...1897...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030923/7e8ac660/attachment.html>

More information about the Snort-sigs mailing list