[Snort-users] snort rule help
erek at ...577...
Tue Oct 16 22:12:18 EDT 2001
On Tue, 16 Oct 2001, Jeffrey Post wrote:
> I am trying to modify a scan rule so that it ignores two specific hosts. I
> enclosed them in brackets and have a ! in front of each one, but snort
> still logs this traffic and puts it into the database. Is it possible to
> exclude two addresses? Here is the rule I am using.
> alert tcp $EXTERNAL_NET any -> [!A.B.C.D,!W.X.Y.Z] 8080 (msg:"SCAN Proxy
> attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)
> I am running Snort 1.8.1on one computer logging to a mysql database.
> Any help would be appreciated.
Well.... I'd go about it another way:
snort -o <rest of your options>
And in your rules:
pass tcp $EXTERNAL_NET any -> [A.B.C.D,W.X.Y.Z] 8080
That should pass all traffic from the outside to those IP's.
More information about the Snort-users