Snort mailing list archives
Negated IP Ranges
From: Brandon Phelps <bphelps () gls com>
Date: Thu, 13 Oct 2011 16:42:01 -0400
Hello, I am trying to prevent alerts coming from 2 specific IP addresses from a subnet that I monitor. Here are the appropriate snort.conf lines: # Setup the network addresses you are protecting ipvar HOME_NET [10.20.3.0/24,10.20.10.0/23,10.20.12.0/22,10.20.16.0/24,10.20.17.0/24,10.20.32.0/20,10.20.48.0/24,10.20.64.0/24,10.20.65.0/24,10.20.77.0/24,[!10.20.3.129,!10.20.3.130]] # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET This, to me, looks like it should work perfectly fine. I want to monitor the 10.20.3.0/24 subnet, but not the specific IP addresses 10.20.3.129 or 10.20.3.130. However when attempting to start Snort with these rules, I get this: --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ERROR: /etc/snort/snort.conf(42) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic in EXTERNAL_NET. Fatal Error, Quitting.. Line 42 of snort.conf is the EXTERNAL_NET ipvar... why would this be a problem? How would I exclude those two specific /32 addresses? Thanks, Brandon ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Negated IP Ranges Brandon Phelps (Oct 13)
- Re: Negated IP Ranges Joel Esler (Oct 14)