Subj : Snort rule...
To   : Shurato
From : Shurato
Date : Thu Jan 02 2025 21:16:00


 Sh> Sh> I'm just looking for a simple rule to block traffic from a specific
 Sh> ip to
 Sh> Sh> mine from any port to  port 23 all the time.  I tried:

 Sh> Sh> alert tcp 123.192.96.98 any -> 192.168.0.1/24 23 (msg:"Blocked IP";
 Sh> Sh> action: drop;)

 Sh> Sh> But action is an unknown rule command...  I found that with "alert
 Sh> ip",
 Sh> Sh> but I couldn't get that to work either. This should be really
 Sh> Sh> simple...  I'm not trying to create a complex rule. This rule of
 Sh> Sh> course is all on one line.

 Sh> Ok, I found block instead of alert and no  parenthesis if that'll work.

That did nothing. I found:

alert tcp 192.168.0.11 any -> 192.168.0.3 23 (msg:"Telnet Traffic
Blocked";drop;)

but that gives me an error that the rule option drop is unknown...  I'm
trying to use AI overviews, but they're full of contradictions and errors.  I
also don't know how to determine what adapter snort is monitoring.  I want to
monitor the local ethernet, not my vpn...  I'll shut up for a while now...
I'll take any suggestions.  I've tried reading documentation, but it's more
confusing than the AI suggestions...  I should probably just not bother, this
is ending up to be a lot more work than it's worth.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss) (Ports 22,23,110,21,119,999) (ssh login 'bbs' password 'shsbbs')


*** THE READER V4.50 [freeware]
---
 * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

.