Re: variable question

[Matt Kettler <mkettler () evi-inc com>]

At 10:05 AM 6/10/2003 -0400, Mike Ellis wrote:
> My EXTERNAL_NET variable looks like this in my snort.conf file:
>
> var EXTERNAL_NET ![$HOME_NET,$NCREN]
>
> I have defined HOME_NET and NCREN prior to establishing the EXTERNAL_NET
> variable.  What I want to do is have my EXTERNAL_NET look at all things
> except for HOME_NET and NCREN.  Can someone let me know if, as it is
> written above, the variable statement should work?


The statement you list should work properly and as expected, provided that 
$NCREN and $HOME_NET are defined and are valid in syntax.

A common mistake people often make is a basic boolean logic mistake.. you 
often see people write things like:

var EXTERNAL_NET [!$HOME_NET,!$NCREN]

Which looks correct at casual glance, but is incorrect, since if NCREN and 
HOME_NET are non-intersecting, it is the same as "any". But you didn't make 
that mistake.

Congratulations, you understand basic boolean operations better than most :)


> Also, is there a command I can run to see what snort thinks my
> EXTERNAL_NET variable is?

Snort variables aren't really variables at all.. AFAIK they are implemented 
as literal text substitution, so they are more akin to C's #define than a 
variable.

I don't think there is a command to show what a var statement is, but a bit 
of copy-paste should show what it winds up being.







-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users