[Snort-users] snort rule help

Jeffrey Post jpost at ...3843...
Tue Oct 16 14:18:09 EDT 2001


I am trying to modify a scan rule so that it ignores two specific hosts.  I
enclosed them in brackets and have a ! in front of each one, but snort
still logs this traffic and puts it into the database.  Is it possible to
exclude two addresses?  Here is the rule I am using.

alert tcp $EXTERNAL_NET any -> [!A.B.C.D,!W.X.Y.Z] 8080 (msg:"SCAN Proxy
attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)

I am running Snort 1.8.1on one computer logging to a mysql database.
Any help would be appreciated.

                              Thanks,
                              Jeff





More information about the Snort-users mailing list