[Snort-users] Host negation in rules.
vision at ...4...
Fri Jan 26 08:45:11 EST 2001
On Fri, 26 Jan 2001, Scott A. McIntyre wrote:
> I'm having a devil of a time getting this to work:
> alert tcp $EXTERNAL_NET any -> [!220.127.116.11/32,$HOME_NET] 53
> (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP;
> offset: 13;)
The traditional way of handling exclusions is to use pass rules.
Something like the following would ignore dns traffic to that host:
pass tcp $EXTERNAL_NET any -> 18.104.22.168/32 53
Remeber to add the -o option to snort if you do this.
More information about the Snort-users