[Snort-users] Rule header variables

Erick Mechler emechler at ...7719...
Wed Jan 22 16:21:02 EST 2003


:: Can a rule header specify all traffic except a few subnets or hosts? In this
:: example can the source have variables to exclude a few subnets or hosts? 
::  
:: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GAMBLING
:: GAMES";content:"GAMBLING"; nocase; flow:to_client,established; sid:20000;
:: rev:1000;)

Sure it can.  Check the Snort Users Manual on how to do exactly this.




More information about the Snort-users mailing list