[Snort-users] Question about negated and non-negated variables in rules
mkettler at ...4108...
Mon Dec 1 07:22:07 EST 2003
At 10:12 AM 12/1/2003, J-H. Johansen wrote:
>After reading a bit I ended up with a pass rule like below:
>pass icmp $ICMP_WHITELIST any -> $HOME_NET any (dsize: >800; sid:499;)
>I kept the sid in order to know what alert rule I'm letting pass.
do not duplicate SIDs.. this is technically a syntax error, although snort
won't complain much about it.
Use the sid + 1000000 (one million).
pass icmp $ICMP_WHITELIST any -> $HOME_NET any (dsize: >800; sid:1000499;)
(any sids over 1 million are reserved for local use so you don't have to
worry about conflict.
More information about the Snort-users