[Snort-users] Remove Home_NET from EXTERNAL_NET any

DThomaz at ...6151... DThomaz at ...6151...
Wed Jul 3 11:02:04 EDT 2002



On Wed, 3 Jul 2002 DThomaz at ...6151... wrote:

>
> How about removing  and address from the rule.
>
> alert icmp $EXTERNAL_NET!172.20.11.3 any -> $HOME_NET any (msg:"MISC
Large
> ICMP Packet"; dsize: >800; reference:arachnids,246;
classtype:bad-unknown;
> sid:499; rev:1;)
>
> I do not want to see alerts from 172.20.11.3, should I edit at the rule
or
> at the snort.conf?
> When I remove from the rule I get this error running snort
>
> Jul  3 11:16:40 ormnm9 snort: FATAL ERROR: ERROR /etc/snort//misc.rules
(7)
> => Rule netmask (16!172.20.11.3/30) didn't x-late, WTF?
>

Nope.  Wrong syntax.  Have a look at:

     http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3




More information about the Snort-users mailing list