[Snort-users] Negate IP's in rules

Fyodor fygrave at ...121...
Fri Sep 29 23:29:30 EDT 2000


On Fri, 29 Sep 2000 out of nowhere John Tran spoke:
~ :
~ :alert tcp !$HOME_NET 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;)
~ :
~ :it allows me to negate an address/range only once.  If I do:
~ :
~ :alert tcp !$HOME_NET !192.168.0.1 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;)

you missed -> here :), also try using /32 mask if still would have a
problem althrough snort should understand both :)





More information about the Snort-users mailing list