[Snort-users] IP Address Lists

Wozz wozz+rt at ...471...
Wed Jan 17 17:21:20 EST 2001

I've got a question about IP Address lists...

We have a few applications between one of our snort-watched networks that run
on port 8080.  Whenever someone hits those applications, snort triggers a
MISC-WinGate-8080-Attempt alert.  What I'd like to be able to do is something
like this.  Instead of the current rule, which is:

alert tcp $EXTERNAL_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;)  

I'd like something like this

alert tcp $EXTERNAL_NET !53 -> [a.b.c.0/24,!a.b.c.54] (msg:"MISC-Wingate-8080-Attempt";flags:S;)

Unfortunately this doesn't seem to work.  It looks like I can negate a whole
list, but not a member of a list.  Is this by design, or ommision, and in
either case, how would I go about doing what I need to do?  Thanks!


More information about the Snort-users mailing list