Re: Question about negated and non-negated variables in rules

[Jens-Harald Johansen <corinth () online no>]

Matt Kettler wrote:

> At 02:49 PM 11/28/2003, Jens-Harald Johansen wrote:
>
> > Thanks Matt, but what I was looking for was the boolean equivalent of:
> >
> > (a) and ((not b) or (not c))
>
>
> > Meaning, I want a, but not b or c. This rule will then be negated in 
> > the rules I'm mod'ing.
>
>
> *cough* compare those two statements...
>         (a) and ((not b) or (not c))
>         (note: the above is the same as "a" if b and c don't overlap)
>
> is not the same as:
>         A and not (b or c).
>
>
> However, I don't think that construct is possible in snort syntax... 
> you'd have to use pass rules to get it.
>
> The top-level operation in a IP list in snort is an OR operator, not 
> an AND operator, so you cannot "subtract off" IPs already added to the 
> list.

Sorry, my bad. Been awhile since I had any boolean mathematic in school 
and ... err ... guess I stumbled a bit there *cough*.

You're absolutly correct. I need to whitelist a couple of IP addresses 
which are allowed to run certain forms of ICMP traffic on our net.

But if I understand you correctly, I need to create pass rules for the 
hosts which are allowed to run the ICMP traffic ? Think I'll need to 
RTFM concerning pass rules. Haven't used them before.

Thanks

jens:H




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users