[Snort-users] IP Address Lists
wozz+rt at ...471...
Wed Jan 17 17:21:20 EST 2001
I've got a question about IP Address lists...
We have a few applications between one of our snort-watched networks that run
on port 8080. Whenever someone hits those applications, snort triggers a
MISC-WinGate-8080-Attempt alert. What I'd like to be able to do is something
like this. Instead of the current rule, which is:
alert tcp $EXTERNAL_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;)
I'd like something like this
alert tcp $EXTERNAL_NET !53 -> [a.b.c.0/24,!a.b.c.54] (msg:"MISC-Wingate-8080-Attempt";flags:S;)
Unfortunately this doesn't seem to work. It looks like I can negate a whole
list, but not a member of a list. Is this by design, or ommision, and in
either case, how would I go about doing what I need to do? Thanks!
More information about the Snort-users