[Snort-users] Rules Question

[Roy Kidder]

I'm trying to write what I expected to be a simple set rules, but it's not
working for me. They look like this:

pass udp any any <> 10.0.0.10 53
pass udp any any <> 192.168.1.5 53
alert udp any any <> any 53 (msg: "DNS Query";)

What I expected was to alert on any DNS queries except those to 10.0.0.10 or
to 192.168.1.5. Instead, I'm seeing alerts on everything including those two
hosts. 

Any pointers on what I did wrong?

Thanks in advance,
Roy

 
Roy Kidder
Network Engineer
Safelite Glass Corp.