[Snort-users] rule definition

A.L.Lambert alambert at ...387...
Tue Oct 17 07:34:24 EDT 2000

> Hi,
> I want to log all rpc mount request except the one coming from adress
> A, B and C or going to servers D, E or G.

Run snort like this:	snort -$YOUROPTIONS -o

	The "-o" option will cause snort to consider "pass" rules before
"alert" rules, and upon finding a "pass" rule that matches, will cease
trying to match the packet against an alert.

And make your rules look like this:

pass UDP A any -> any 111 	# allow this
pass UDP B any -> any 111	# allow this
pass UDB C any -> any 111	# allow this
alert UDP any any -> any 111	# scream about anything else

-- A.L.Lambert

More information about the Snort-users mailing list