[Snort-users] Rule help
gcunnin2 at ...163...
Mon Jan 27 08:53:02 EST 2003
Thanks, that'll help. I was looking for something like this in the manual.
It should be added. ;-)
From: Erick Mechler [mailto:emechler at ...7719...]
Sent: Monday, January 27, 2003 11:41 AM
To: Gordon Cunningham
Cc: Snort Users Postings
Subject: Re: [Snort-users] Rule help
:: In other words, I'd like to get SNMP Request UDP alerts from any hosts on
:: LAN (which is a subset of the entire company network) OTHER than the few
:: I've designated. How do I designate a subnet and exclude a few hosts
:: that subnet? I tried this - doesn't seem to work with 1.9.0:
:: alert udp [$HOME_NET,!126.96.36.199,!188.8.131.52,!184.108.40.206] any -> $HOME_NET 161
:: (msg:"SNMP request udp"; reference:cve,CAN-2002-0012;
:: reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)
Split it up into two rules. You're going to need one pass rule for the
hosts you don't care about, and an alert rule for the rest of $HOME_NET.
You can't have a rule with mixed logical operators, AFAIK (i.e., some hosts
negated, some not).
The section in the FAQ re: rule ordering might help with this:
Cheers - Erick
More information about the Snort-users