[Snort-users] Rule header variables

Matt Kettler mkettler at ...7367...
Wed Jan 22 16:38:07 EST 2003


First, this list has a lot of UNIX shell users who can't read HTML mail. 
Please be kind and post in plain text not HTML.

To answer your question, yes you can do that easily.

IP addresses can be a single IP, a subnet, or a group of subnets, and any 
of the above can be negated.

so you probably want

var HOME_CHECK_FOR_GAMBLING     ![192.168.1.0/24,192.168.2.0/24]

note that this is NOT the same as:
var HOME_CHECK_FOR_GAMBLING_BAD         [!192.168.1.0/24,!192.168.2.0/24]

The second example is eqivalent to "any".

Then you'd re-write your rule, using a SID greater than 1,000,000 to 
indicate that it's a local rule and use the new variable:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_CHECK_FOR_GAMBLING any 
(msg:"GAMBLING GAMES";content:"GAMBLING"; nocase; 
flow:to_client,established; sid:1020000; rev:1;)

And that should work.

In the future you can read the docs
http://www.snort.org/docs/writing_rules/

Specifically this would have been answered by reading the IP addresses section:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.3

At 06:48 PM 1/22/2003 -0500, Jim Schwin wrote (de-htmled by me):
>Hello All,
>
>
>
>Can a rule header specify all traffic except a few subnets or hosts? In 
>this example can the source have variables to exclude a few subnets or hosts?
>
>
>
>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GAMBLING 
>GAMES";content:"GAMBLING"; nocase; flow:to_client,established; sid:20000; 
>rev:1000;)
>
>
>
>thanks
>
>
>
>js





More information about the Snort-users mailing list