Negated IP Ranges

[Brandon Phelps <bphelps () gls com>]

Hello,

I am trying to prevent alerts coming from 2 specific IP addresses from a subnet that I monitor.  Here are the 
appropriate snort.conf lines:

# Setup the network addresses you are protecting
ipvar HOME_NET 
[10.20.3.0/24,10.20.10.0/23,10.20.12.0/22,10.20.16.0/24,10.20.17.0/24,10.20.32.0/20,10.20.48.0/24,10.20.64.0/24,10.20.65.0/24,10.20.77.0/24,[!10.20.3.129,!10.20.3.130]]

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET


This, to me, looks like it should work perfectly fine.  I want to monitor the 10.20.3.0/24 subnet, but not the specific 
IP addresses 10.20.3.129 or 10.20.3.130.  However when attempting to start Snort with these rules, I get this:

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(42) Negated IP ranges that are more general than non-negated ranges are not allowed. 
Consider inverting the logic in EXTERNAL_NET.
Fatal Error, Quitting..


Line 42 of snort.conf is the EXTERNAL_NET ipvar... why would this be a problem?  How would I exclude those two specific 
/32 addresses?

Thanks,
Brandon

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!