[Snort-users] Using a var in the conf and local rules

Joel Esler jesler at ...1935...
Mon Feb 25 16:42:43 EST 2013


The IP blacklist can be made to not drop traffic by default (in fact, that is the default configuration by just turning the rules on).


On Feb 25, 2013, at 3:39 PM, Stephen Mintz <greybard at ...15978...> wrote:

> Actually about it, I don't want to blacklist the sites, just get an alert when they are attempted. 
> 
> So back to a conf var. 
> 
> 
> 
> "Lay, James" <james.lay at ...15009...> wrote:
> From: Stephen Mintz [mailto:greybard at ...15978...] 
> Sent: Monday, February 25, 2013 1:15 PM
> To: Lay, James
> Subject: Re: [Snort-users] Using a var in the conf and local rules
> 
> 
> 
> Hey James, 
> 
> Thanks for the reply! 
> Not sure either, never done that. 
> I am open for trying anything so I will check into it. 
> If anyone has any advice please reply? 
> 
> 
> 
> 
> "Lay, James" <james.lay at ...15009...> wrote:
> 
> From: honeybadger at ...15978... [mailto:honeybadger at ...15978...] 
> Sent: Monday, February 25, 2013 10:51 AM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Using a var in the conf and local rules
> 
> 
> 
> Hey all, 
> 
> I am adding scanners for 600+ suspect IPs in a text file. 
> Ok adding in include snort.var 
> Adding var IP_RULES
> Then tcp any any - >
> $IP_RULES any (msg:"suspect IP detected; sid 4525;) 
> I would like if the alert would tell me which IP it found. 
> Usually I would use a content but this is different. 
> Any know how to set this up? 
> 
> Thanks, 
> 
> 
> -- 
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130225/216e278b/attachment.html>


More information about the Snort-users mailing list