[Snort-users] ignore host for just a couple of rules, not all

Brian Caswell bmc at ...312...
Fri Jun 15 09:02:18 EDT 2001


Roeland Weve wrote:
> 47 45 54 20 2F 73 65 61 72 63 68 72 65 73 75 6C   GET /searchresul
> 74 2F 2E 2E 2F 70 69 78 2F 6E 61 76 2F 6D 6F 5F   t/../pix/nav/mo_
> 30 5F 61 2E 67 69 66 20 48 54 54 50 2F 31 2E 30   0_a.gif HTTP/1.0
> 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A   ..Referer: http:
> 
> I now exlude this host via:
> pass tcp any any -> hostip 80

pass tcp any any -> hostip 80 (msg:"pass /../ where acceptable";
uricontent:"/../"; flags:A+;)

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list