[Snort-users] snort rule help

Erek Adams erek at ...577...
Tue Oct 16 22:12:18 EDT 2001


On Tue, 16 Oct 2001, Jeffrey Post wrote:

> I am trying to modify a scan rule so that it ignores two specific hosts.  I
> enclosed them in brackets and have a ! in front of each one, but snort
> still logs this traffic and puts it into the database.  Is it possible to
> exclude two addresses?  Here is the rule I am using.

Yes.

> alert tcp $EXTERNAL_NET any -> [!A.B.C.D,!W.X.Y.Z] 8080 (msg:"SCAN Proxy
> attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)
>
> I am running Snort 1.8.1on one computer logging to a mysql database.
> Any help would be appreciated.

Well....  I'd go about it another way:

  snort -o <rest of your options>

And in your rules:

  pass tcp $EXTERNAL_NET any -> [A.B.C.D,W.X.Y.Z] 8080

That should pass all traffic from the outside to those IP's.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list