Re: Exclude one IP

[Joel Esler <joel.esler () sourcefire com>]

More accurately you'd have to change the subnet mask..  eg.

var HOME_NET [!10.0.1.1,10.0.1.2:254] or
var HOME_NET [10.0.1.0,10.0.1.2:255]

J


On Nov 1, 2005, at 1:20 PM, Joel Esler wrote:

> Matt,
>
> Thanks for your email, however,
>
> var HOME_NET [10.1.10.0/24,!10.1.10.24]
> var EXTERNAL_NET !$HOME_NET
>
> Will make HOME_NET everything in that range the HOME_NET except for  
> that one machine, then makes EXTERNAL_NET everything else including  
> that one machine.
>
> If you wanted to, you could put the 10.1.10.24 IP in EXTERNAL_NET  
> along with [!$HOME_NET]
>
> Joel
>
>
> On Nov 1, 2005, at 12:03 PM, Matt Kettler wrote:
>
> > Joel Esler wrote:
> > > If you want to totally exclude it from analyzation, use a BPF  
> > > filter at
> > > the command line, "not host 10.1.10.24"
> > >
> > > If you want to exclude it from the HOME_NET
> > >
> > > var HOME_NET [10.1.10.0/24,!10.1.10.24]
> > >
> > > That should work for you..
> >
> > No.. That won't work.. that will resolve to match all IPs.
> >
> >
> > That effectively reads as "If it is in 10.1.10.0/24 OR it is not  
> > 10.1.10.24,
> > then it is a member of HOME_NET"