[Snort-users] Host negation in rules.

Scott A. McIntyre scott at ...1050...
Fri Jan 26 09:26:52 EST 2001

Also sprach Max Vision (vision at ...4...):

> On Fri, 26 Jan 2001, Scott A. McIntyre wrote:
> > I'm having a devil of a time getting this to work:
> > alert tcp $EXTERNAL_NET any -> [!,$HOME_NET] 53
> > (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP;
> > offset: 13;)
> >
> The traditional way of handling exclusions is to use pass rules.
> Something like the following would ignore dns traffic to that host:
> pass tcp $EXTERNAL_NET any -> 53
> Remeber to add the -o option to snort if you do this.

Yes, and in this case I may end up doing that.  The down side is that it
will then pass all traffic, tcp in nature, to that host/port, regardless
of the rest of the rule that existed for the alert condition.

In other words, what, instead of DNS, I wanted to have two CGI based
rules, to the same port, but different content (as is often the case).

Omitting a specific node as a destination would be best on a per-host
basis -- I want to ignore "webshop cgi" alerts on hostA, but not hostB.
It's the extra conditionals within the rule that give some of the
flexibility I'd lose by using a blanket "pass".


More information about the Snort-users mailing list