[Snort-users] Host negation in rules.

Max Vision vision at ...4...
Fri Jan 26 08:45:11 EST 2001


On Fri, 26 Jan 2001, Scott A. McIntyre wrote:
> I'm having a devil of a time getting this to work:
> alert tcp $EXTERNAL_NET any -> [!194.109.6.66/32,$HOME_NET] 53
> (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP;
> offset: 13;)
>

The traditional way of handling exclusions is to use pass rules.
Something like the following would ignore dns traffic to that host:

pass tcp $EXTERNAL_NET any -> 194.109.6.66/32 53

Remeber to add the -o option to snort if you do this.

Max





More information about the Snort-users mailing list