[Snort-users] Multiple networks and port-scanning...

Christian Hammers ch at ...139...
Wed Jul 26 11:38:03 EDT 2000


On Wed, Jul 26, 2000 at 04:33:14PM +0100, Peter Bates wrote:
...
> and can I somehow have have the portscan
> line cover all of the 3 blocks mentioned
> in HOME_NET,HOME_NET2 and HOME_NET3???

An idea for an mad hack woud be to write a preprocessor that substitutes
all IPs that belong to the given nets by one single IP e.h. 10.1.1.1.
Then you would only have to write your rules one time, looking for the
dst address 10.1.1.1 and you catch packets for them all.

bye,

 -christian-

-- 
Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
ch at ...139...     Internet & Security for Professionals    Fax 0241/911879
           WESTEND ist CISCO Systems Partner - Premium Certified




More information about the Snort-users mailing list