[Snort-users] rule definition
vision at ...4...
Tue Oct 17 13:33:29 EDT 2000
At 05:48 PM 10/17/2000 +0200, Raphael Bauduin wrote:
>I want to log all rpc mount request except the one coming from
>adress A, B and C or going to servers D, E or G.
>How do I do the OR in the rule definition?
>If I do
>alert UDP !A any -> any 111
>alert UDP !B any -> any 111
>alert UDP !C any -> any 111
>I suppose rule 1 will log requests from B and C, or am I wrong?
>I didn't see a possibility to OR adresses.
You are looking for an exclusion, not an OR. Try pass rules using the "-o"
option to change the rule order. Using your example:
pass udp A any -> any 111
pass udp B any -> any 111
pass udp C any -> any 111
pass udp any any -> D 111
pass udp any any -> E 111
pass udp any any -> F 111
alert udp any any -> any 111 (msg: "rpc traffic";)
More information about the Snort-users