[Snort-users] rule definition

Raphael Bauduin rb at ...573...
Tue Oct 17 11:48:25 EDT 2000


I want to log all rpc mount request except the one coming from 
adress A, B and C or going to servers D, E or G.

How do I do the OR in the rule definition?
If I do 

alert UDP !A any -> any 111
alert UDP !B any -> any 111
alert UDP !C any -> any 111

I suppose rule 1 will log requests from B and C, or am I wrong?
I didn't see a possibility to OR adresses.


PS: I read the doc :-)
Here's a part of it, but I'm not sure of the meaning of this.....
What does it imply on the above example?

"At the same time, the various rules in a Snort rules library file can be 
considered to form a large logical OR statement"


             |  -�)                        (�-  |
             |  /\\     Linux for ever     //\  |
             | _\_v                        v_/_ |

   If windows is the answer, it must have been a stupid question.

More information about the Snort-users mailing list