[Snort-users] Rules for non existent IPs

Marc Cozzi cozzi at ...5487...
Fri Apr 23 11:22:13 EDT 2004

Is there any way to define a rule that will fire when an outside
source tries to access a non existent inside IP number?  Something
like the following does not seem to work. By access I mean
running nmap, scanners, pings etc..

alert tcp any any -> X.X.X.1 any (msg:"TCP port scan" ) 
alert ucp any any -> X.X.X.1 any (msg:"UCP port scan") 
alert icmp any any -> X.X.X.1 any (msg:"ICMP scan") 


More information about the Snort-users mailing list