Re: Rule help

[Erick Mechler <emechler () techometer net>]

:: In other words, I'd like to get SNMP Request UDP alerts from any hosts on my
:: LAN (which is a subset of the entire company network) OTHER than the few
:: I've designated.  How do I designate a subnet and exclude a few hosts from
:: that subnet?  I tried this - doesn't seem to work with 1.9.0:
:: 
:: alert udp [$HOME_NET,!1.2.4.4,!2.3.4.5,!5.4.3.2] any -> $HOME_NET 161
:: (msg:"SNMP request udp"; reference:cve,CAN-2002-0012;
:: reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;)

Split it up into two rules.  You're going to need one pass rule for the
hosts you don't care about, and an alert rule for the rest of $HOME_NET.  
You can't have a rule with mixed logical operators, AFAIK (i.e., some hosts
negated, some not).

The section in the FAQ re: rule ordering might help with this:

  http://www.snort.org/docs/faq.html#3.13

Cheers - Erick


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users