[Snort-users] snort rule help

Chris Green cmg at ...671...
Tue Oct 16 20:45:15 EDT 2001


"Jeffrey Post" <jpost at ...3843...> writes:

> I am trying to modify a scan rule so that it ignores two specific hosts.  I
> enclosed them in brackets and have a ! in front of each one, but snort
> still logs this traffic and puts it into the database.  Is it possible to
> exclude two addresses?  Here is the rule I am using.
>
> alert tcp $EXTERNAL_NET any -> [!A.B.C.D,!W.X.Y.Z] 8080 (msg:"SCAN Proxy
> attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)

Try:

alert tcp $EXTERNAL_NET any -> ![A.B.C.D,W.X.Y.Z] 8080 \
  (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon;\
   sid:620; rev:1;)

I think thats the right approach but it's difficult to test here at
the moment.
-- 
Chris Green <cmg at ...671...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-users mailing list