[Snort-users] Negate IP's in rules

John Tran snort at ...360...
Fri Sep 29 17:00:26 EDT 2000


Is there a way to negate many IP's/hosts?  I noticed in a standard rule:

alert tcp !$HOME_NET 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;)

it allows me to negate an address/range only once.  If I do:

alert tcp !$HOME_NET !192.168.0.1 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;)

, than snort refuses to start.

Any ideas?




More information about the Snort-users mailing list