Snort mailing list archives
Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs)
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 07 Aug 2007 11:12:54 -0600
On 8/7/07 10:59 AM, "Yakov Lerner" <iler.ml () gmail com> wrote:
On 8/7/07, Matt Kettler <mkettler () evi-inc com> wrote:Yakov Lerner wrote:On 8/7/07, *Matt Kettler* <mkettler () evi-inc com <mailto:mkettler () evi-inc com>> wrote: Yakov Lerner wrote:Does this do what I'm thinking it would do: [$HOME,!192.168.1.222,!192.168.1.223] , that is, subnet except specific IPs ?No, that subnets the entire world. The commas are effectively "OR" statements, so just this part: [!192.168.1.222,!192.168.1.223] will match any IP address. Anything that is not 192.168.1.222 <http://192.168.1.222> OR anything that is not 192.168.1.223 <http://192.168.1.223>. The first clause will match all IPs except 192.168.1.222 <http://192.168.1.222>, and the second clause will match 192.168.1.222 <http://192.168.1.222>, among many others. The net result is everything. Is there solution/expression that matches the "given subnet except given list of IPs" ?No, other than adding up other subnets to create the equivalent.Are there IP RANGES, like [IP-IP] or maybe [IP:IP] ? Yakov
If you're not wanting to monitor them at all, adding "ip and not host 192.168.1.222 and not host 162.168.2.223" at the end of your snort start line may fit the bill. James ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Yakov Lerner (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Matt Kettler (Aug 07)
- Message not available
- Message not available
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Yakov Lerner (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) James Lay (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Jason (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Yakov Lerner (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Jason (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Yakov Lerner (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Patrik Nordlén (Aug 07)
- Message not available
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Matt Kettler (Aug 07)
- Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs) Matt Kettler (Aug 08)