[Snort-sigs] sig question

Matt Kettler mkettler at ...189...
Wed Sep 24 10:32:09 EDT 2003


At 11:37 AM 9/24/2003, Nick Duda wrote:
>So if i had a sig that i wanted to alert everytime its triggered except 
>from a certain IP could i do this?
>
>alert udp $EXTERNAL_NET any -> !insert_ip_address 161 (msg:"SNMP request 
>udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1417; 
>rev:2; classtype:attempted-recon;)
>-Nick

Yes, provided that you want it to fire off for _any_ destination besides 
"insert_ip_address", without regard for HOME_NET.





More information about the Snort-sigs mailing list