How to alert if someone goes on a website other than the IP address listed?
Question
I have a snort rule
alert tcp any -> !142.250.200.14 any (msg:"Bad Website"; sid:1000002; rev:1;)
The problem is it logs all websites, including the one listed as 142.250.200.14 as 'bad website'.
I want all websites to be alerted except 142.250.200.14, is there an easy fix to the rule?
I suspect it has something to do with the ','. but I'm not sure.
PS. I'm a newbie.
1 answers
solution1
0 2021-05-19 17:15:10
You can make a list and iterate through that. You can reverse the effect or avoid it this way.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How to make rule trigger on DNS rdata/IP address?
how to know ip address of packets which matched by content option in snort?
Specifying the rule address in Snort alert file
Windows Snort Error--ERROR: C:\Snort\etc\snort.conf(0) Failed to parse the IP address: 32.0.0.0/35.0.0.0
How to get the VLAN ID in snort alert?
Parsing Snort Alert File with Regex
Read the alert log from snort
what does this mean in suricata rule alert?
Python script to convert snort alert to csv
Protocol Translation from CAN bus to IP
Related Tags