This was cross-posted I see, not sure why you would want to do that, but
it happens. Anyway, I'm sending back to snort-sigs.
On 0, reynald <rtm@cybees.com> allegedly wrote:
hi,
I tried it but i still have the same result.
thanks,
reynald.
----- Original Message -----
From: Esler, Joel
To: 'reynald'
Sent: Thursday, December 09, 2004 3:26 PM
Subject: RE: [Snort-users] negation symbol
Take the brackets off. !xxx.xxx.xxx.xxx/24 (this will block all traffic to
yahoo you know that right)
nope, that's not the problem.
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of reynald
Sent: Thursday, December 09, 2004 1:44 AM
To: snort-users@lists.sourceforge.net
Cc: Reynald Mahinay
Subject: [Snort-users] negation symbol
hello,
I have this rule that will block all yahoo request coming from our network
except for a particular segment.
ex:
alert tcp ![xxx.xxx.xxx.xxx/24] any -> any any [msg: "yahoo block test";
content: "Yahoo"; nocase; resp: rst_all;)
It does block all yahoo request but it also blocks the segment i excluded.
Did i missed anything?
Yes. Your rule is malformed. The rule body needs to start with a "(" not
a "[" and you really don't want to use the "any any" in a rule that
resets any connection. Not that I am condoning using block rules unless you
absoutely and clearly know what you are doing, but your rule should look
something like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test"; content:
"Yahoo";nocase; resp: rst_all;)
Or you could use the "log" keyword instead of alert. But that's up to you.
You certainly do not want to use "any any" on either side of that direction
arrow, and you probably should make sure the connection is valid lest you
keep resetting valid connections. Like I said, you _really_ need to make
it very clear what you are trying to achieve here and you _really_ need to
know what you are doing when it comes to resetting connections.
any help will be appreciated.
thanks,
reynald
+-----------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
Stewie: You know, I rather like this God fellow. Very theatrical,
you know. Pestilence here, a plague there. Omnipotence
...gotta get me some of that.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
