[Snort-users] rule definition

Max Vision vision at ...4...
Tue Oct 17 13:33:29 EDT 2000


At 05:48 PM 10/17/2000 +0200, Raphael Bauduin wrote:
>I want to log all rpc mount request except the one coming from
>adress A, B and C or going to servers D, E or G.
>How do I do the OR in the rule definition?
>If I do
>alert UDP !A any -> any 111
>alert UDP !B any -> any 111
>alert UDP !C any -> any 111
>I suppose rule 1 will log requests from B and C, or am I wrong?
>I didn't see a possibility to OR adresses.

You are looking for an exclusion, not an OR.  Try pass rules using the "-o" 
option to change the rule order.  Using your example:

  pass udp A any -> any 111
  pass udp B any -> any 111
  pass udp C any -> any 111
  pass udp any any -> D 111
  pass udp any any -> E 111
  pass udp any any -> F 111
  alert udp any any -> any 111 (msg: "rpc traffic";)

Max Vision
http://whitehats.com/




More information about the Snort-users mailing list