RE: Exclude one IP

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: Re: [Snort-users] Exclude one IP

> For example you can do IP lists with comas, but you cannot do so for
ports.
> ie: a port specifier of 80,8080 is illegal, but [192.168.1.1,192.168.1.2]
is not.
> There's clear precedent that IP lists and port lists do not behave the
same way.
> Based on that, it would be exceptionally unwise for a user to assume that
the ports behavior > auto-magically must apply to IPs.

I agree with Matt, this is not at all clear and it is contrary to how
variables have worked in snort.conf in the past.  Can we get clarification
from someone on the Snort team as to how to build lists and use operators in
port and address variables in snort.conf?  I'll volunteer to write the FAQ
section on this if someone will just explain it to me.

For instance, is this comment from snort.conf now obsolete? :

# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80

I have a small arsenal of docs on how to fudge various parts of snort.conf
to do things that don't work out of the box from as far back as 1.2 (like
host exclusions from HOME_NET using funneled subnet masks for specific
inclusion).  It would be nice to retire those.

Thanks,
PaulM




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users