[Snort-users] IP Address's in Rule
erek at ...577...
Wed Oct 9 11:00:04 EDT 2002
On Wed, 9 Oct 2002, Mike McCabe wrote:
> How do I include specific IP addresses in a rule. Say I want to have
> certain IP addresses not looked at and still want the rule to use
> EXTERNAL_NET... Something like:
> alert tcp [!X.Y.W.Z/32,!A.B.C.D/32,!E.F.G.H/32,$EXTERNAL_NET] any ->
> $HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+;
> offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:255;
> But it doesn't seem to work...
> Any help would be appreciated...
If I'm correct about what you're trying to do: 2 machines in $EXTERNAL_NET
will connect do a zone transfer from some machines inside your $HOME_NET. You
want to ignore those packets from those machines, but still alert on anyone
else. Is that right?
If it is, then this link should tell you what you need. :)
More information about the Snort-users