[Snort-sigs] Rule for identifying all trafic except the specefied

Jeff Kell jeff-kell at ...922...
Wed Jun 14 16:23:59 EDT 2006


Rajkumar S wrote:

> fwsam is used for snortsam, for blocking the ip using alerts of snort. 
> Now I want to negate this rule to alert all streams that do not match 
> this rule. When I try to use ! operator I get an error about Pure not 
> rule. I am using snort 2.4.5

You could change that to a pass rule, then do an unconditional alert without content for the rest.  But be careful what you wish for :-)  You'll probably want to threshold it or something similar.

Jeff





More information about the Snort-sigs mailing list