[Snort-users] Negate IP's in rules

Martin Roesch roesch at ...421...
Tue Oct 3 11:21:35 EDT 2000


There's no way to do this sort of thing in Snort 1.6.3 or the 1.7 beta code,
but this capability is on the ToDo list...

    -Marty

John Tran wrote:
> 
> Is there a way to negate many IP's/hosts?  I noticed in a standard rule:
> 
> alert tcp !$HOME_NET 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;)
> 
> it allows me to negate an address/range only once.  If I do:
> 
> alert tcp !$HOME_NET !192.168.0.1 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;)
> 
> , than snort refuses to start.
> 
> Any ideas?
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list