[Snort-sigs] Rule for identifying all trafic except the specefied
jeff-kell at ...922...
Wed Jun 14 16:23:59 EDT 2006
Rajkumar S wrote:
> fwsam is used for snortsam, for blocking the ip using alerts of snort.
> Now I want to negate this rule to alert all streams that do not match
> this rule. When I try to use ! operator I get an error about Pure not
> rule. I am using snort 2.4.5
You could change that to a pass rule, then do an unconditional alert without content for the rest. But be careful what you wish for :-) You'll probably want to threshold it or something similar.
More information about the Snort-sigs