Re: Question about negated and non-negated variable s in rules

[corinth <corinth () online no>]

Topi Ylinen wrote:

> You'll probably have received a number of replies already, but here's one
> more.
>
> 1) From the Snort faq:
> "Note that the negation operator does not work inside a list so the
> following
> will NOT work:
>
>     var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]
>
> but this will work:
>
>     var EXTERNAL_NET ![192.168.40.0/24,10.14.0.0/16]"
>
> 2) Also note that the list operator (",") is a disjunction ("OR"), not a
> conjunction ("AND").
> I.e., if you say "!AAA.BBB.CCC.DDD/32,!EEE.FFF.GGG.HHH/32", an IP address
> can only fail this condition if AAA.BBB.CCC.DDD == EEE.FFF.GGG.HHH (you
> are effectively saying, "if this IP is not from A *OR* is not from B")
>
> --
> T.
Thanks, I tried to RTFM but I couldn't find anything about combining two 
variables though, which is the main problem. Since I have a non-negated 
variable and one negated variable how can I combine these two ?

Your reply is the first, btw =)

jens:H



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users