[Snort-users] Host negation in rules.

Max Vision vision at ...4...
Fri Jan 26 08:45:11 EST 2001

On Fri, 26 Jan 2001, Scott A. McIntyre wrote:
> I'm having a devil of a time getting this to work:
> alert tcp $EXTERNAL_NET any -> [!,$HOME_NET] 53
> (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP;
> offset: 13;)

The traditional way of handling exclusions is to use pass rules.
Something like the following would ignore dns traffic to that host:

pass tcp $EXTERNAL_NET any -> 53

Remeber to add the -o option to snort if you do this.


More information about the Snort-users mailing list