[Snort-users] Question about negated and non-negated variables in rules

Matt Kettler mkettler at ...4108...
Mon Dec 1 07:22:07 EST 2003


At 10:12 AM 12/1/2003, J-H. Johansen wrote:
>After reading a bit I ended up with a pass rule like below:
>
>pass icmp $ICMP_WHITELIST any -> $HOME_NET any (dsize: >800; sid:499;)
>
>
>I kept the sid in order to know what alert rule I'm letting pass.

do not duplicate SIDs.. this is technically a syntax error, although snort 
won't complain much about it.

Use the sid + 1000000 (one million).

ie:

pass icmp $ICMP_WHITELIST any -> $HOME_NET any (dsize: >800; sid:1000499;)


(any sids over 1 million are reserved for local use so you don't have to 
worry about conflict.





More information about the Snort-users mailing list