Snort mailing list archives
Re: Variable
From: john.ruff () us abb com
Date: Wed, 22 Aug 2001 12:43:33 -0400
Thanks for you response Erek. I tested your suggestions as such: var HOME_NET [any, !192.168.1.10] (Maybe I'm wrong by putting the 'any' inside the brackets?) That did not work, but the following solution did: var HOME_NET [!192.168.1.10] I'm capturing any -> any excluding traffic going to the one IP address. Regards, John |-------------> |(Embedded | |image moved | |to file: | |pic25353.pcx)| | | |-------------> >------------------------------------------------------------------------| |Erek Adams <erek () theadamsfamily net> | |08/22/2001 12:05 PM | >------------------------------------------------------------------------| To: John Ruff/ETI/USTRA/ABB@ABB_USTRA cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Variable Security Level:? Internal [I'm out of coffee and I'm pissed, so someone correct me if need be.] On Wed, 22 Aug 2001 john.ruff () us abb com wrote:
If I want my $HOME_NET variable to be any address except one specific address could I use a declaration like so: 1 statement solution var HOME_NET ![192.168.1.10/24]
Nope.
OR 2 statement solution var HOME_NET [192.168.1.10/24] var HOME_NET !$HOME_NET
Nope.
OR would I have to declare the variable as : var HOME_NET [192.168.1.10/24]
Nope.
then in my rules files implement each rule as: $EXTERNAL_NET any -> !$HOME_NET any
a /24 is an entire class C block. You want a /32 which is one host. I _think_ it would be: var HOME_NET [192.168.1.0/24,!192.168.1.1] But, I've got no coffee, so I won't say it's gonna work. :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
Attachment:
pic25353.pcx
Description:
Current thread:
- Variable john . ruff (Aug 22)
- Re: Variable Erek Adams (Aug 22)
- Re: Variable Erek Adams (Aug 22)
- <Possible follow-ups>
- Re: Variable john . ruff (Aug 22)
- Re: Variable Erek Adams (Aug 22)
- Re: Variable Erek Adams (Aug 22)