[Snort-sigs] Var that don't work

Joel Esler joel.esler at ...435...
Mon Sep 10 15:22:13 EDT 2007


Try expanding the CIDR notations.
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8

I don't know if the way you have it written will work, I've never  
tested it.

Joel

On Sep 10, 2007, at 4:56 AM, Thierry CHICH wrote:

>
> I would adapt the rules
> BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
> to my network. Since I have a lot of RFC1918 computers that are not  
> in my
> HOME_NET, I have a lot of FP.
>
> I try the following method. I had the following variables in
> the /etc/snort/snort.conf:
>
> var RFC1918 [192.168/16,172.16/12,10/8]
> var INTERNET !$RFC1918
>
>
>
> I modify the rules as :
> alert tcp $INTERNET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT  
> EVENTS
>
> But it doesn't work.
>
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



--
joel esler
http://demo.sourcefire.com/jesler.pgp.key



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070910/1126bd96/attachment.html>


More information about the Snort-sigs mailing list