[Snort-users] Problem with rule

james the_saint_james at ...131...
Wed Mar 13 10:19:02 EST 2002


var RADIUS_EXT
[!216.126.128.165,!216.126.128.164,!66.19.192.195,!66.19.192.194,!216.126.13
6.244,\
!216.126.136.243,!216.126.128.11,!216.126.128.10,\
!216.126.128.9,!216.126.128.8,!192.5.41.40,!192.5.41.41,!216.126.128.8,!216.
126.128.9,\
!216.126.128.10,!216.126.128.11,!216.126.128.164,!216.126.128.165,!216.126.1
36.243,!66.19.192.194]

alert tcp $RADIUS_EXT any -> $RADIUS 1645:1646 (msg:"Radius External TCP
radius traffic not\
in allow table"; flags:A+;)
alert udp $RADIUS_EXT any -> $RADIUS 1645:1646 (msg:"Radius External UDP
radius traffic not\
in allow table";)


I have also tried doing  var RADIUS_EXT ![216.126.128.165, ect]

This does not seem to work, I am trying to alert on outside radius contacts
to our radius servers.
Still getting alerts from the IP's in $ RADIUS_EXT. The rule does alert on
contacts from radius ports.
What am I doing wrong ?





More information about the Snort-users mailing list