[Snort-users] Rule header variables
mkettler at ...7367...
Wed Jan 22 16:38:07 EST 2003
First, this list has a lot of UNIX shell users who can't read HTML mail.
Please be kind and post in plain text not HTML.
To answer your question, yes you can do that easily.
IP addresses can be a single IP, a subnet, or a group of subnets, and any
of the above can be negated.
so you probably want
var HOME_CHECK_FOR_GAMBLING ![192.168.1.0/24,192.168.2.0/24]
note that this is NOT the same as:
var HOME_CHECK_FOR_GAMBLING_BAD [!192.168.1.0/24,!192.168.2.0/24]
The second example is eqivalent to "any".
Then you'd re-write your rule, using a SID greater than 1,000,000 to
indicate that it's a local rule and use the new variable:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_CHECK_FOR_GAMBLING any
(msg:"GAMBLING GAMES";content:"GAMBLING"; nocase;
flow:to_client,established; sid:1020000; rev:1;)
And that should work.
In the future you can read the docs
Specifically this would have been answered by reading the IP addresses section:
At 06:48 PM 1/22/2003 -0500, Jim Schwin wrote (de-htmled by me):
>Can a rule header specify all traffic except a few subnets or hosts? In
>this example can the source have variables to exclude a few subnets or hosts?
>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GAMBLING
>GAMES";content:"GAMBLING"; nocase; flow:to_client,established; sid:20000;
More information about the Snort-users