Snort mailing list archives

RE: simple question

From: Robby Desmond <rdesmond () els ucsb edu>
Date: Mon, 07 Oct 2002 15:03:51 -0700

At 04:22 PM 10/7/02 -0500, Steve Halligan wrote:

Well, you can run snort like this:

snort [your options] host !A.B.C.100


Works, also, "snort <options> not host a.b.c.100"

or

You can add a -o to the command line and make a pass rule like:

pass ip any any -> A.B.C.100 any

Works on inbound. Will still alert on any trouble .100 causes, but this isprobably a good thing.

or

you can make your HOME_NET:

var HOME_NET [A.B.C.0/24,!A.B.C.100]

I don't think this will work. If my thinking is correct, the commadelimitation basically works as an OR. So what you have is [a.b.c.0/24 OR(NOT a.b.c.100)], which is basically defining it as "any" in a fun littleroundabout way. I wish this would work though.


-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

simple question Petre Bandac (Oct 07)
- <Possible follow-ups>
- RE: simple question Steve Halligan (Oct 07)
- RE: simple question Robby Desmond (Oct 10)