[Snort-users] snort rule help
cmg at ...671...
Tue Oct 16 20:45:15 EDT 2001
"Jeffrey Post" <jpost at ...3843...> writes:
> I am trying to modify a scan rule so that it ignores two specific hosts. I
> enclosed them in brackets and have a ! in front of each one, but snort
> still logs this traffic and puts it into the database. Is it possible to
> exclude two addresses? Here is the rule I am using.
> alert tcp $EXTERNAL_NET any -> [!A.B.C.D,!W.X.Y.Z] 8080 (msg:"SCAN Proxy
> attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)
alert tcp $EXTERNAL_NET any -> ![A.B.C.D,W.X.Y.Z] 8080 \
(msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon;\
I think thats the right approach but it's difficult to test here at
Chris Green <cmg at ...671...>
You now have 14 minutes to reach minimum safe distance.
More information about the Snort-users