[Snort-sigs] Rule for identifying all trafic except the specefied

Rajkumar S rajkumars at ...3234...
Thu Jun 15 09:38:43 EDT 2006

Jeff Kell wrote:
>> fwsam is used for snortsam, for blocking the ip using alerts of snort. Now I want to
>> negate this rule to alert all streams that do not match this rule. When I try to use
>> ! operator I get an error about Pure not rule. I am using snort 2.4.5
> You could change that to a pass rule, then do an unconditional alert without content
> for the rest.  But be careful what you wish for :-)  You'll probably want to threshold
> it or something similar.

That was not working as I wanted, most probably due to my incompetence. But after much 
trial and error, I found another set of rules that works.

alert tcp any any -> 20 (msg:"Foo rule"; flow:to_server,established; 
content:"FOOBAR"; flowbits:set,allblock; flowbits:noalert;)

alert tcp any any -> 20 (msg:"Test Rule"; rev:1; pcre:"/.*/sm"; 
flowbits:isnotset,allblock; fwsam: src, 10 minutes;)

Just putting this up for archive. If any optimisation of this rule can be done it will be 
most welcome :)


More information about the Snort-sigs mailing list