![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Question about negated and non-negated variable s in rules
From: corinth <corinth () online no>
Date: Fri, 28 Nov 2003 09:29:54 +0100
Topi Ylinen wrote:
You'll probably have received a number of replies already, but here's one more. 1) From the Snort faq: "Note that the negation operator does not work inside a list so the following will NOT work: var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16] but this will work: var EXTERNAL_NET ![192.168.40.0/24,10.14.0.0/16]" 2) Also note that the list operator (",") is a disjunction ("OR"), not a conjunction ("AND"). I.e., if you say "!AAA.BBB.CCC.DDD/32,!EEE.FFF.GGG.HHH/32", an IP address can only fail this condition if AAA.BBB.CCC.DDD == EEE.FFF.GGG.HHH (you are effectively saying, "if this IP is not from A *OR* is not from B") -- T.
Thanks, I tried to RTFM but I couldn't find anything about combining two variables though, which is the main problem. Since I have a non-negated variable and one negated variable how can I combine these two ? Your reply is the first, btw =) jens:H ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Question about negated and non-negated variable s in rules corinth (Nov 28)