[Snort-users] IP Address Lists

Scott A. McIntyre scott at ...1050...
Thu Jan 18 00:45:41 EST 2001


Hi,


> alert tcp $EXTERNAL_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;)  
> 
> I'd like something like this
> 
> alert tcp $EXTERNAL_NET !53 -> [a.b.c.0/24,!a.b.c.54] (msg:"MISC-Wingate-8080-Attempt";flags:S;)

Well, in this example you're missing a port or port range as the target
address, but assuming you meant to tack on a 8080 in that above line..

Any reason that you can't create a "pass" rule first, and change the
order of your rules processing to Pass, then Alert, then Log?

For example, you could have a rule that says:

pass tcp  $EXTERNAL_NET !53 -> a.b.c.54 8080

Then invoke snort with the -o option?

This would ignore all traffic from the external network to your node in
question, port 8080, that did not come BIND/DNS on the outside.

Good luck,

Scott





More information about the Snort-users mailing list