[Snort-users] IP Address's in Rule
rdesmond at ...6547...
Thu Oct 10 08:14:04 EDT 2002
At 12:57 PM 10/9/02 -0400, Mike McCabe wrote:
>How do I include specific IP addresses in a rule. Say I want to have
>certain IP addresses not looked at and still want the rule to use
>EXTERNAL_NET... Something like:
>alert tcp [!X.Y.W.Z/32,!A.B.C.D/32,!E.F.G.H/32,$EXTERNAL_NET] any ->
>$HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+;
>offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:255;
>But it doesn't seem to work...
>Any help would be appreciated...
Well, the problem is this, the commas in a snort IP list are logical ORs.
If $EXTERNAL_NET includes x.y.w.z or a.b.c.d or e.f.g.h, the alert will
still fire. If I am wrong about this, I wish one of the snort people would
tell me, because all of my past experience with snort has told me that this
is the case.
Of course, it makes sense, since creating a rule that listed
[f.b.m.c,r.t.d.u] would mean you wanted both of them checked, which is a
UCSB Extended Learning Services
More information about the Snort-users