[Snort-users] Host negation in rules.
Scott A. McIntyre
scott at ...1050...
Fri Jan 26 09:26:52 EST 2001
Also sprach Max Vision (vision at ...4...):
> On Fri, 26 Jan 2001, Scott A. McIntyre wrote:
> > I'm having a devil of a time getting this to work:
> > alert tcp $EXTERNAL_NET any -> [!220.127.116.11/32,$HOME_NET] 53
> > (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP;
> > offset: 13;)
> The traditional way of handling exclusions is to use pass rules.
> Something like the following would ignore dns traffic to that host:
> pass tcp $EXTERNAL_NET any -> 18.104.22.168/32 53
> Remeber to add the -o option to snort if you do this.
Yes, and in this case I may end up doing that. The down side is that it
will then pass all traffic, tcp in nature, to that host/port, regardless
of the rest of the rule that existed for the alert condition.
In other words, what, instead of DNS, I wanted to have two CGI based
rules, to the same port, but different content (as is often the case).
Omitting a specific node as a destination would be best on a per-host
basis -- I want to ignore "webshop cgi" alerts on hostA, but not hostB.
It's the extra conditionals within the rule that give some of the
flexibility I'd lose by using a blanket "pass".
More information about the Snort-users