[Snort-users] Portscan preprocessor and false positives

Bennett Todd bet at ...6163...
Thu Oct 17 05:54:03 EDT 2002


2002-10-16-11:44:39 Bennett Todd:
> 	src net 192.168.0.0/24 and ip proto tcp and dst port 80

which of course would tell snort to _only_ see the packets we in
fact want to ignore. Make that

  'not (src net 192.168.0.0/24 and ip proto tcp and dst port 80)'

>   '(src net 10.1.1.0/24 or 192.168.1.0/24) and ip proto tcp and dst port 80'

  'not ((src net 10.1.1.0/24 or 192.168.1.0/24) and ip proto tcp and dst port 80)'

or maybe some alternatives, like e.g. applying a little boolean
algebra to get rid of the nested parens:

  'not (src net 10.1.1.0/24 or 192.168.1.0/24) or not (ip proto tcp and dst port 80)'

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021017/344d8879/attachment.sig>


More information about the Snort-users mailing list