Snort mailing list archives
Re: Snort Rule Question
From: Erick Mechler <emechler () techometer net>
Date: Mon, 17 Feb 2003 16:56:12 -0800
:: I am trying to stop an alert on specific rules against specific http :: servers. How is this done? Assume the alert starts with: alert tcp :: $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS..... if http_servers = :: home_network, how do I stop this from alerting on certain servers? Can :: I use a list of ip addresses for the HTTP_SERVERS variable? Probably the most effective way to do this is to create as many $HTTP_SERVER variables as you need, and apply the appropriate variable to each web-specific rule. Not very elegant, but it will work. Or, you could start playing with pass rules for the specific web servers you're not concerned with, but more alerts will slow down the application. Cheers - Erick ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Rule Question Nick Patellis (Feb 17)
- Re: Snort Rule Question Erick Mechler (Feb 17)