Re: Using a var in the conf and local rules

[Joel Esler <jesler () sourcefire com>]

On Feb 25, 2013, at 3:06 PM, "Lay, James" <james.lay () wincofoods com> wrote:

> From: honeybadger () q com [mailto:honeybadger () q com]  
> Hey all, 
>
> I am adding scanners for 600+ suspect IPs in a text file. 
> Ok adding in include snort.var 
> Adding var IP_RULES
> Then tcp any any - > $IP_RULES any (msg:"suspect IP detected; sid 4525;) 
> I would like if the alert would tell me which IP it found. 
> Usually I would use a content but this is different. 
> Any know how to set this up? 
>
> Thanks, 
>
> Wonder if adding these to the reputation blacklist would do the trick?  Not sure.
>  
> James

I'd recommend the IP reputation blacklist for that.  Instead of doing IP rules.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!