[Snort-users] Using a var in the conf and local rules

Joel Esler jesler at ...1935...
Mon Feb 25 15:29:05 EST 2013


On Feb 25, 2013, at 3:06 PM, "Lay, James" <james.lay at ...15009...> wrote:

> From: honeybadger at ...15978... [mailto:honeybadger at ...15978...]  
> Hey all, 
> 
> I am adding scanners for 600+ suspect IPs in a text file. 
> Ok adding in include snort.var 
> Adding var IP_RULES
> Then tcp any any - > $IP_RULES any (msg:"suspect IP detected; sid 4525;) 
> I would like if the alert would tell me which IP it found. 
> Usually I would use a content but this is different. 
> Any know how to set this up? 
> 
> Thanks, 
> 
> Wonder if adding these to the reputation blacklist would do the trick?  Not sure.
>  
> James

I'd recommend the IP reputation blacklist for that.  Instead of doing IP rules.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130225/e5634344/attachment.html>


More information about the Snort-users mailing list