[Snort-users] snort rules, IP addresses and not's

Young, Eric thatguy at ...3780...
Thu Oct 11 07:56:11 EDT 2001

Hash: SHA1

I'm working on doing some snort rules to slim down my alerts where I know
that they need to be.

For an example, let's say I'm getting a lot of large ICMP packet alerts to a
certain box and I know why it's doing it and so I want to keep those alerts
out of my alerts file.

What I'd really like to do is this:

alert icmp $EXTERNAL_NET any -> [!123.456.789.123,$HOME_NET] any (msg:"MISC
Large ICMP Packet"; dsize: >800; reference:arachnids,246;
lasstype:bad-unknown; sid:499; rev:1;)

Note in the dest IP addr seciton here the combination of an excluded IP
address and an accepted range of IP addresses.  So, I'm saying I want this
rule to fire unless the destination is 123.456.789.123.  Is it possible to
mix accepted and not-accepted IP addresses like this in a single snort rule?
I think I could write a pass rule for this but I'm hesitant to do the "-o"
reordering as I would rather catch my mistakes.

I've looked through the snort docs & they don't really address this format.

Thanks for any info!

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>


More information about the Snort-users mailing list