[Snort-sigs] exclude IP from a rule

Esler, Joel Contractor joel.esler at ...783...
Tue Sep 23 05:42:01 EDT 2003


pass udp $EXTERNAL_NET any -> <IP> 161 (msg:"SNMP..............

-----Original Message-----
From: Nick Duda [mailto:nduda at ...1896...] 
Sent: Tuesday, September 23, 2003 7:51 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] exclude IP from a rule


Hi,
I have a sig (below) that grabs SNMP traffic. How can I exclude 1 internal
IP from the rule?
 
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp";
reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1417; rev:2;
classtype:attempted-recon;)

thanks in advanced

Nick Duda, CCSA, Security+
Systems Administrator
*  Email: nduda at ...1897... <mailto:nduda at ...1897...> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030923/4f8b59ab/attachment.html>


More information about the Snort-sigs mailing list