[Snort-users] snort rules, IP addresses and not's
thatguy at ...3780...
Thu Oct 11 07:56:11 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
I'm working on doing some snort rules to slim down my alerts where I know
that they need to be.
For an example, let's say I'm getting a lot of large ICMP packet alerts to a
certain box and I know why it's doing it and so I want to keep those alerts
out of my alerts file.
What I'd really like to do is this:
alert icmp $EXTERNAL_NET any -> [!123.456.789.123,$HOME_NET] any (msg:"MISC
Large ICMP Packet"; dsize: >800; reference:arachnids,246;
lasstype:bad-unknown; sid:499; rev:1;)
Note in the dest IP addr seciton here the combination of an excluded IP
address and an accepted range of IP addresses. So, I'm saying I want this
rule to fire unless the destination is 123.456.789.123. Is it possible to
mix accepted and not-accepted IP addresses like this in a single snort rule?
I think I could write a pass rule for this but I'm hesitant to do the "-o"
reordering as I would rather catch my mistakes.
I've looked through the snort docs & they don't really address this format.
Thanks for any info!
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
More information about the Snort-users