Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EXTERNAL_NET var acting strange

From: Scott Nursten <scott.nursten () streetsonline co uk>
Date: Tue, 21 Aug 2001 15:03:57 +0100
Ah-hah - CLICK! So, can I have multiple comma seperated blocks - ie;

![excludes_here],[includes_here]

IE, if there is a machine in the 1.1.1.0 range that I want to log, how do I log it? 

Rgds,

Scott 




Florent wrote:


That's normal :

Example : box 1.1.1.4

       !1.1.1.0         !172.16.16.0/24
         |                 |
but    False or Right or Right = Right
                 |
              !172.16.0.0/24

when snort tests !172.16.0.0/24 and !172.16.16.0/24, the IP 1.1.1.x make it right so your 1.1.1.x box gets considered 
as external_net.

Florent


-- 

Scott Nursten - Systems Administrator
----------------------------------------------
ddi:   +44 (0) 1293 744 122
work:  +44 (0) 1293 402 040
fax:   +44 (0) 1293 402 050
email: scottn () streetsonline co uk
wwweb: http://www.streetsonline.co.uk
----------------------------------------------

                Any sufficiently advanced technology is indistinguishable from magic.
                                        Arthur C. Clarke

                Any technology distinguishable from magic is insufficiently advanced.
                         (Probably not) Arthur C. Clarke

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: