[Snort-users] Ignore host

David Scott davidscott at ...655...
Fri Apr 11 07:20:07 EDT 2003


I'm trying to ignore traffic from a particular host, but ONLY for a specific
set of rules (PORN.RULES). I want to use the syntax

alert tcp $EXTERNAL_NET $HTTP_PORTS -> [$HOME_NET,!10.195.1.195/32] any
(msg:"PORN alt.binaries.pictures.erotica";
content:"alt.binaries.pictures.erotica"; nocase; flags:A+; classtype:porn;
sid:1836; rev:1;)

Where I've added !10.195.1.195/32 to the standard $HOME_NET variable. Is
this acceptable? Is this the most efficient way to do this?


David Scott
Memphis Technology Associates
http://www.perimeterdefenses.com





More information about the Snort-users mailing list