[Snort-users] IP Address Lists
Scott A. McIntyre
scott at ...1050...
Thu Jan 18 00:45:41 EST 2001
> alert tcp $EXTERNAL_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;)
> I'd like something like this
> alert tcp $EXTERNAL_NET !53 -> [a.b.c.0/24,!a.b.c.54] (msg:"MISC-Wingate-8080-Attempt";flags:S;)
Well, in this example you're missing a port or port range as the target
address, but assuming you meant to tack on a 8080 in that above line..
Any reason that you can't create a "pass" rule first, and change the
order of your rules processing to Pass, then Alert, then Log?
For example, you could have a rule that says:
pass tcp $EXTERNAL_NET !53 -> a.b.c.54 8080
Then invoke snort with the -o option?
This would ignore all traffic from the external network to your node in
question, port 8080, that did not come BIND/DNS on the outside.
More information about the Snort-users