Snort mailing list archives
Re: HOME_NET Clarification
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 29 Oct 2004 16:32:10 -0400
At 12:24 PM 10/22/2004, Ilango S Allikuzhi wrote:
Is it possible to define HOME_NET as [!10.40.1.0/24, !10.40.2.0/24, 10.0.0.0/8, 192.168.1.0/24] for instance?In other words, we want all subnets under 10 except a few.
As a more specific response than the one generated by Joel: No. You can't create an IP range with holes in it like that using snort.Snort basically treats the commas as a logical OR operation. If an IP matches any one of the entries in the list it is a match, regardless of what any other entries might be.
You'd want some kind of logical AND operation ie: 10.0.0.0/8 AND !10.40.1.0/24. But that would involve some fancier syntax than snort supports.
Side note: Your example is identical in function to "any", as it will match any IP address in the entire range of IPs. [!10.40.1.0/24, !10.40.2.0/24] or any other two non-overlapping negated ranges in the list will create the same effect. This is a very common mistake.
------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET Clarification Ilango S Allikuzhi (Oct 29)
- Message not available
- Re: HOME_NET Clarification Matt Kettler (Oct 29)
- Message not available
- <Possible follow-ups>
- RE: HOME_NET Clarification Esler, Joel - Contractor (Oct 29)
- RE: HOME_NET Clarification Ilango S Allikuzhi (Nov 19)