[Snort-sigs] Rule for identifying all trafic except the specefied
rajkumars at ...3234...
Thu Jun 15 09:38:43 EDT 2006
Jeff Kell wrote:
>> fwsam is used for snortsam, for blocking the ip using alerts of snort. Now I want to
>> negate this rule to alert all streams that do not match this rule. When I try to use
>> ! operator I get an error about Pure not rule. I am using snort 2.4.5
> You could change that to a pass rule, then do an unconditional alert without content
> for the rest. But be careful what you wish for :-) You'll probably want to threshold
> it or something similar.
That was not working as I wanted, most probably due to my incompetence. But after much
trial and error, I found another set of rules that works.
alert tcp any any -> 192.168.3.74 20 (msg:"Foo rule"; flow:to_server,established;
content:"FOOBAR"; flowbits:set,allblock; flowbits:noalert;)
alert tcp any any -> 192.168.3.74 20 (msg:"Test Rule"; rev:1; pcre:"/.*/sm";
flowbits:isnotset,allblock; fwsam: src, 10 minutes;)
Just putting this up for archive. If any optimisation of this rule can be done it will be
most welcome :)
More information about the Snort-sigs