[Snort-users] Rule help

Gordon Cunningham gcunnin2 at ...163...
Mon Jan 27 08:53:02 EST 2003


Thanks, that'll help.  I was looking for something like this in the manual.
It should be added.  ;-)


- Gordon

 -----Original Message-----
From: 	Erick Mechler [mailto:emechler at ...7719...]
Sent:	Monday, January 27, 2003 11:41 AM
To:	Gordon Cunningham
Cc:	Snort Users Postings
Subject:	Re: [Snort-users] Rule help

:: In other words, I'd like to get SNMP Request UDP alerts from any hosts on
my
:: LAN (which is a subset of the entire company network) OTHER than the few
:: I've designated.  How do I designate a subnet and exclude a few hosts
from
:: that subnet?  I tried this - doesn't seem to work with 1.9.0:
::
:: alert udp [$HOME_NET,!1.2.4.4,!2.3.4.5,!5.4.3.2] any -> $HOME_NET 161
:: (msg:"SNMP request udp"; reference:cve,CAN-2002-0012;
:: reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)

Split it up into two rules.  You're going to need one pass rule for the
hosts you don't care about, and an alert rule for the rest of $HOME_NET.
You can't have a rule with mixed logical operators, AFAIK (i.e., some hosts
negated, some not).

The section in the FAQ re: rule ordering might help with this:

  http://www.snort.org/docs/faq.html#3.13

Cheers - Erick





More information about the Snort-users mailing list