[Snort-sigs] exclude IP from a rule

Nick Duda nduda at ...1896...
Tue Sep 23 05:39:08 EDT 2003


Great! I've gotten great feedback on this. Will this continue to alert me on this rule excluding that IP?
I am using the -o option on the snort root command now.
 
- Nick

-----Original Message-----
From: Esler, Joel Contractor [mailto:joel.esler at ...783...]
Sent: Tuesday, September 23, 2003 8:33 AM
To: Nick Duda; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] exclude IP from a rule


pass udp $EXTERNAL_NET any -> <IP> 161 (msg:"SNMP..............

-----Original Message-----
From: Nick Duda [mailto:nduda at ...1896...] 
Sent: Tuesday, September 23, 2003 7:51 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] exclude IP from a rule


Hi,
I have a sig (below) that grabs SNMP traffic. How can I exclude 1 internal IP from the rule?
 
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)

thanks in advanced

Nick Duda, CCSA, Security+
Systems Administrator
*  Email: nduda at ...1897...

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030923/2cbcb66c/attachment.html>


More information about the Snort-sigs mailing list