[Snort-sigs] Var that don't work

Thierry CHICH thierry.chich at ...2579...
Mon Sep 10 04:56:16 EDT 2007


I would adapt the rules 
BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
to my network. Since I have a lot of RFC1918 computers that are not in my 
HOME_NET, I have a lot of FP.

I try the following method. I had the following variables in 
the /etc/snort/snort.conf:

var RFC1918 [192.168/16,172.16/12,10/8]
var INTERNET !$RFC1918



I modify the rules as :
alert tcp $INTERNET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS 

But it doesn't work.





More information about the Snort-sigs mailing list