[Snort-sigs] sig question

Nick Duda nduda at ...1896...
Wed Sep 24 08:39:17 EDT 2003


First off thanks to all for helping me with pass rules, works good. I have a question along the same lines, will creating a sig with the header using the !insert_ip_address work just as good? (I am new to snort)
 
So if i had a sig that i wanted to alert everytime its triggered except from a certain IP could i do this?
 
alert udp $EXTERNAL_NET any -> !insert_ip_address 161 (msg:"SNMP request udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)

-Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030924/53932276/attachment.html>


More information about the Snort-sigs mailing list