[Snort-users] Rules for non existent IPs
cozzi at ...5487...
Fri Apr 23 11:22:13 EDT 2004
Is there any way to define a rule that will fire when an outside
source tries to access a non existent inside IP number? Something
like the following does not seem to work. By access I mean
running nmap, scanners, pings etc..
alert tcp any any -> X.X.X.1 any (msg:"TCP port scan" )
alert ucp any any -> X.X.X.1 any (msg:"UCP port scan")
alert icmp any any -> X.X.X.1 any (msg:"ICMP scan")
More information about the Snort-users