[Snort-users] Rule header variables
emechler at ...7719...
Wed Jan 22 16:21:02 EST 2003
:: Can a rule header specify all traffic except a few subnets or hosts? In this
:: example can the source have variables to exclude a few subnets or hosts?
:: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GAMBLING
:: GAMES";content:"GAMBLING"; nocase; flow:to_client,established; sid:20000;
Sure it can. Check the Snort Users Manual on how to do exactly this.
More information about the Snort-users