Re: Variable

[john.ruff () us abb com]

Thanks for you response Erek.

I tested your suggestions as such:

var HOME_NET [any, !192.168.1.10]
(Maybe I'm wrong by putting the 'any' inside the brackets?)

That did not work, but the following solution did:

var HOME_NET [!192.168.1.10]

I'm capturing any -> any excluding traffic going to the one IP address.

Regards,
John


|------------->
|(Embedded    |
|image moved  |
|to file:     |
|pic25353.pcx)|
|             |
|------------->
  >------------------------------------------------------------------------|
  |Erek Adams <erek () theadamsfamily net>                                    |
  |08/22/2001 12:05 PM                                                     |
  >------------------------------------------------------------------------|



To:   John Ruff/ETI/USTRA/ABB@ABB_USTRA
cc:   snort-users () lists sourceforge net
Subject:  Re: [Snort-users] Variable

Security Level:?         Internal




[I'm out of coffee and I'm pissed, so someone correct me if need be.]

On Wed, 22 Aug 2001 john.ruff () us abb com wrote:

> If I want my $HOME_NET variable to be any address except one specific address
> could I use a declaration like so:
>
> 1 statement solution
> var HOME_NET ![192.168.1.10/24]

Nope.

> OR
>
> 2 statement solution
> var HOME_NET [192.168.1.10/24]
> var HOME_NET !$HOME_NET

Nope.

> OR would I have to declare the variable as :
>
> var HOME_NET [192.168.1.10/24]

Nope.

> then in my rules files implement each rule as:
>
> $EXTERNAL_NET any -> !$HOME_NET any

a /24 is an entire class C block.  You want a /32 which is one host.

I _think_ it would be:

var HOME_NET [192.168.1.0/24,!192.168.1.1]

But, I've got no coffee, so I won't say it's gonna work.  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

Attachment: pic25353.pcx
Description: