[Snort-users] rule definition
alambert at ...387...
Tue Oct 17 07:34:24 EDT 2000
> I want to log all rpc mount request except the one coming from adress
> A, B and C or going to servers D, E or G.
Run snort like this: snort -$YOUROPTIONS -o
The "-o" option will cause snort to consider "pass" rules before
"alert" rules, and upon finding a "pass" rule that matches, will cease
trying to match the packet against an alert.
And make your rules look like this:
pass UDP A any -> any 111 # allow this
pass UDP B any -> any 111 # allow this
pass UDB C any -> any 111 # allow this
alert UDP any any -> any 111 # scream about anything else
More information about the Snort-users