RE: home_net and external_net: how to use ! withmultiple subnets ?

["John Creegan" <jcreegan () questarweb com>]

Very close.  It's !$HOME_NET.

> > > Tom Van Overbeke <tvanoverbeke () ccncsi net> 08/20/03 06:46AM >>>
> >
> > on the internal side, we have various lan's / dmz's etc,
> the external ip
> > interface (public ip adress) is connected to a hub, on
> which another public
> > ip adress (that i also want to consider as 'home_net' is
connected.
> > Now i'd like to consider external net as 'everything that
> is not home_net',
> > but i can't get the syntax right. so for the moment i have
> only excluded our
> > main lan in external net.
> > the problem being that alot of false alerts are logged that
> come from the
> > other local subnets.
> >
> > this is my current definition:
> >
> > var HOME_NET
> [172.21.0.0/16,172.16.208.0/27,172.16.208.32/27,195.xxx.xxx.xx
> x/32,195.xxx.x
> > xx.xxx/32]
> > var EXTERNAL_NET !172.21.0.0/16
>
> Two possible minor things come to my mind:
>
> 1)  Why have you repeated 195.xxx.xxx.xxx/32 twice?  Typo I take it?

No, there's actually 2 public ip adresses listed there.

> 2) Wouldn't it be?
>    var EXTERNAL_NET !HOME_NET
>
> I'm not too sure about that last one, but it certainly sounds
> logical.

Yes, it would seem so, but when i tried it, i got this error message:

Aug 20 13:41:06 pitbull snort: FATAL ERROR: ERROR
./snort.org-rules/bad-traffic.rules(12): Couldn't resolve hostname
HOME_NET

So it will have to be a combination of ! [] and , i'm afraid, but the
things
i tried seemed to work (no error), but didn't give the desired result.
or
maybe it's not even possible ?


anyone who's in the know, please come forward.


thx,


Tom.

****************************************************************************
Disclaimer: 
This electronic transmission and any files attached to it are strictly

confidential and intended solely for the addressee. If you are not 
the intended addressee, you must not disclose, copy or take any
action in reliance of this transmission. If you have received this 
transmission in error, please notify the sender by return and delete
the transmission.  Although the sender endeavors to maintain a
computer virus free network, the sender does not warrant that this
transmission is virus-free and will not be liable for any damages 
resulting from any virus transmitted. 
Thank You.
****************************************************************************



-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from
the
best hiring companies. http://www.dice.com/index.epl?rel_code=104 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users