[Snort-users] Rule help

Gordon Cunningham gcunnin2 at ...163...
Mon Jan 27 07:35:03 EST 2003


I'm not quite sure how to approach writing or modifying rules for this
scenario.  I have several hosts on my LAN that use SNMP polling for
monitoring.  If I use the default rulebase for "SNMP request udp", these
hosts will continually trigger alerts.  However, I'm not sure how to write
the rule to exclude them but still limit the FROM addresses to my LAN.

In other words, I'd like to get SNMP Request UDP alerts from any hosts on my
LAN (which is a subset of the entire company network) OTHER than the few
I've designated.  How do I designate a subnet and exclude a few hosts from
that subnet?  I tried this - doesn't seem to work with 1.9.0:

alert udp [$HOME_NET,!1.2.4.4,!2.3.4.5,!5.4.3.2] any -> $HOME_NET 161
(msg:"SNMP request udp"; reference:cve,CAN-2002-0012;
reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)


- Gordon






More information about the Snort-users mailing list