Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about negated and non-negated variables in rules

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 28 Nov 2003 15:03:05 -0500
At 02:49 PM 11/28/2003, Jens-Harald Johansen wrote:

Thanks Matt, but what I was looking for was the boolean equivalent of:

(a) and ((not b) or (not c))
Meaning, I want a, but not b or c. This rule will then be negated in the rules I'm mod'ing. 

*cough* compare those two statements...
        (a) and ((not b) or (not c))
        (note: the above is the same as "a" if b and c don't overlap)

is not the same as:
        A and not (b or c).
However, I don't think that construct is possible in snort syntax... you'd have to use pass rules to get it.
The top-level operation in a IP list in snort is an OR operator, not an AND operator, so you cannot "subtract off" IPs already added to the list. 




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: