[Snort-users] snort rule help
jpost at ...3843...
Tue Oct 16 14:18:09 EDT 2001
I am trying to modify a scan rule so that it ignores two specific hosts. I
enclosed them in brackets and have a ! in front of each one, but snort
still logs this traffic and puts it into the database. Is it possible to
exclude two addresses? Here is the rule I am using.
alert tcp $EXTERNAL_NET any -> [!A.B.C.D,!W.X.Y.Z] 8080 (msg:"SCAN Proxy
attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)
I am running Snort 1.8.1on one computer logging to a mysql database.
Any help would be appreciated.
More information about the Snort-users