[Snort-users] Rule help

Gordon Cunningham gcunnin2 at ...163...
Mon Jan 27 08:53:02 EST 2003

Thanks, that'll help.  I was looking for something like this in the manual.
It should be added.  ;-)

- Gordon

 -----Original Message-----
From: 	Erick Mechler [mailto:emechler at ...7719...]
Sent:	Monday, January 27, 2003 11:41 AM
To:	Gordon Cunningham
Cc:	Snort Users Postings
Subject:	Re: [Snort-users] Rule help

:: In other words, I'd like to get SNMP Request UDP alerts from any hosts on
:: LAN (which is a subset of the entire company network) OTHER than the few
:: I've designated.  How do I designate a subnet and exclude a few hosts
:: that subnet?  I tried this - doesn't seem to work with 1.9.0:
:: alert udp [$HOME_NET,!,!,!] any -> $HOME_NET 161
:: (msg:"SNMP request udp"; reference:cve,CAN-2002-0012;
:: reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)

Split it up into two rules.  You're going to need one pass rule for the
hosts you don't care about, and an alert rule for the rest of $HOME_NET.
You can't have a rule with mixed logical operators, AFAIK (i.e., some hosts
negated, some not).

The section in the FAQ re: rule ordering might help with this:


Cheers - Erick

More information about the Snort-users mailing list