Re: Exclude one IP

[Matt Kettler <mkettler () evi-inc com>]

Joel Esler wrote:
> I don't think it's undocumented, maybe it's just not as obvious..  


The use of : the operator for IPs IS undocumented. It's not in the manual, it's
not in the example snort.conf, it's not in snort(8) therefore it's undocumented.


> you
> can do port ranges as such: (80:8080) which means port 80 through  8080,
> so the IP method is similar. 

That documents it for ports, not for ips.

You're relying on the user expanding one feature's documentation into another.
That is DANGEROUS.

For example you can do IP lists with comas, but you cannot do so for ports.

ie: a port specifier of 80,8080 is illegal, but [192.168.1.1,192.168.1.2] is not.

There's clear precedent that IP lists and port lists do not behave the same way.
Based on that, it would be exceptionally unwise for a user to assume that the
ports behavior auto-magically must apply to IPs.




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users