Re: Ignore host

["Kenneth G. Arnold" <bkarnold () cbu edu>]

It's my impression that [$HOME_NET,!10.195.1.195/32] would not solve your 
problem because $HOME_NET includes 10.195.1.195/32 and !10.195.1.195/32 
includes everything except the one IP address including everything on your 
$EXTERNAL_NET.  The two would be effectively added together to become 
"any".  I think the only way to accomplish what you want is to write a pass 
rule for this sid for every rule in porn.rules for this IP address.  Any 
one else have an opinion?

Ken


At 09:19 AM 4/11/03 -0500, David Scott wrote:
> I'm trying to ignore traffic from a particular host, but ONLY for a specific
> set of rules (PORN.RULES). I want to use the syntax
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> [$HOME_NET,!10.195.1.195/32] any
> (msg:"PORN alt.binaries.pictures.erotica";
> content:"alt.binaries.pictures.erotica"; nocase; flags:A+; classtype:porn;
> sid:1836; rev:1;)
>
> Where I've added !10.195.1.195/32 to the standard $HOME_NET variable. Is
> this acceptable? Is this the most efficient way to do this?
>
>
> David Scott
> Memphis Technology Associates
> http://www.perimeterdefenses.com
>
>
>
> -------------------------------------------------------



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users