Snort mailing list archives
RE: Variables and Negation
From: "Jason Luke" <jluke () truarx com>
Date: Mon, 17 Mar 2003 15:16:20 -0500
I don't think $HTTP_SERVERS [!192.168.2.2/32] would help me because it would catch unwanted traffic destined for hosts on the Internet. (e.g. if somebody was accessing some website on the Internet with /intranet it would trigger when I don't care.) Some people use the proxy and some do not. So I see traffic to random external IP's, and internal IP's, including my proxy. I want the rule to only show me traffic destined to servers on my network, except for the proxy. -----Original Message----- From: Schmehl, Paul L [mailto:pauls () utdallas edu] Sent: Monday, March 17, 2003 12:05 PM To: Jason Luke; snort-users () lists sourceforge net Subject: RE: [Snort-users] Variables and Negation Wouldn't $HTTP_SERVERS [!192.168.2.2/32] do the trick? That excludes the proxy only, which would by default include all the other hosts defined in $HOME_NET since $HTTP_SERVERS is always used on the destination side of a rule. IOW, I think you're making this more complex than it needs to be. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -----Original Message----- From: Jason Luke [mailto:jluke () truarx com] Sent: Monday, March 17, 2003 1:48 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Variables and Negation I cannot seem to get it right and didn't find a definitive answer on the list. I have a variable $HOME_NET 192.168.0.0/16 I want to set $HTTP_SERVERS to $HOME_NET except for 192.168.2.2, my proxy. Can I do: $HTTP_SERVERS [$HOME_NET, !192.168.2.2/32] ?? Is there a better way to exclude only one IP? ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Variables and Negation Jason Luke (Mar 17)
- Re: Variables and Negation Matt Kettler (Mar 17)
- <Possible follow-ups>
- RE: Variables and Negation Jason Luke (Mar 17)
- RE: Variables and Negation Erek Adams (Mar 17)
- RE: Variables and Negation Schmehl, Paul L (Mar 17)
- RE: Variables and Negation Schmehl, Paul L (Mar 17)
- RE: Variables and Negation Jason Luke (Mar 17)
- RE: Variables and Negation L. Christopher Luther (Mar 17)