No subject


Thu Nov 23 16:36:19 EST 2017


  All of the elements in that make up a rule must be true for the indicated 
  rule action to be taken. When taken together, the elements can be 
  considered to form a logical AND statement. At the same time, the various 
  rules in a Snort rules library file can be considered to form a large 
  logical OR statement.

What I would suggest:

pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC";
content: !"|80 04";)
pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC";
content: !"|80 05";)
pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC";
content: !"|81 c8";)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"NON RTP TRAFFIC";)

FAQ entry 3.13 should explain how this would get converted into a 
rulechain.  http://www.snort.org/docs/faq.html#3.13

Cheers - Erick




More information about the Snort-users mailing list