Snort mailing list archives
Re: Exclude one IP
From: Joel Esler <joel.esler () sourcefire com>
Date: Tue, 1 Nov 2005 13:29:36 -0500
More accurately you'd have to change the subnet mask.. eg. var HOME_NET [!10.0.1.1,10.0.1.2:254] or var HOME_NET [10.0.1.0,10.0.1.2:255] J On Nov 1, 2005, at 1:20 PM, Joel Esler wrote:
Matt, Thanks for your email, however, var HOME_NET [10.1.10.0/24,!10.1.10.24] var EXTERNAL_NET !$HOME_NETWill make HOME_NET everything in that range the HOME_NET except for that one machine, then makes EXTERNAL_NET everything else including that one machine.If you wanted to, you could put the 10.1.10.24 IP in EXTERNAL_NET along with [!$HOME_NET]Joel On Nov 1, 2005, at 12:03 PM, Matt Kettler wrote:Joel Esler wrote:If you want to totally exclude it from analyzation, use a BPF filter atthe command line, "not host 10.1.10.24" If you want to exclude it from the HOME_NET var HOME_NET [10.1.10.0/24,!10.1.10.24] That should work for you..No.. That won't work.. that will resolve to match all IPs.That effectively reads as "If it is in 10.1.10.0/24 OR it is not 10.1.10.24,then it is a member of HOME_NET"
Current thread:
- Exclude one IP John Friedman (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Paul Schmehl (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- RE: Exclude one IP Paul Melson (Nov 02)
- Re: Exclude one IP Joel Esler (Nov 02)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)