[Snort-users] Ignore host

David Scott davidscott at ...655...
Fri Apr 11 07:20:07 EDT 2003

I'm trying to ignore traffic from a particular host, but ONLY for a specific
set of rules (PORN.RULES). I want to use the syntax

alert tcp $EXTERNAL_NET $HTTP_PORTS -> [$HOME_NET,!] any
(msg:"PORN alt.binaries.pictures.erotica";
content:"alt.binaries.pictures.erotica"; nocase; flags:A+; classtype:porn;
sid:1836; rev:1;)

Where I've added ! to the standard $HOME_NET variable. Is
this acceptable? Is this the most efficient way to do this?

David Scott
Memphis Technology Associates

More information about the Snort-users mailing list