Snort mailing list archives

Re: Exclude one IP

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 01 Nov 2005 19:05:14 -0500

Joel Esler wrote:

Matt,

Thanks for your email, however,

var HOME_NET [10.1.10.0/24,!10.1.10.24]
var EXTERNAL_NET !$HOME_NET

Will make HOME_NET everything in that range the HOME_NET except for that
one machine,


For reference, me and Joel emailed a bit off-list, and Joel also emailed Nigel.
The above statement is untrue.

[10.1.10.0/24,!10.1.10.24] is the logical equivalent of "any". It matches all IP
addresses. Period.

The , operator is additive and an IP can match any one of the items in the list
and be considered included. You can never reduce the number of IPs matched by a
range using this method, you can only increase it.

Thus the above example 10.1.10.24 will match because of the first half. Every
other IP in the address space will match the second half. Your effective IP
space is the combination of both sets, not the subtraction of one IP from the
other set.

If your objective is to ignore a host, don't do it this way, see the FAQ:

 http://www.snort.org/docs/faq/1Q05/node38.html



If you *really* need to create an IP list for HOME_NET that excludes one host,
you'll have to build it up using a series ranges that do not include that host.
  One undocumented feature that makes this easier is the : operator, which
allows you to create ranges that are not bitmasks.



Quoting Nigel:
--------------
e.g. To exclude the 192.168.1.1 address from it's /24 subnet:

 var HOME_NET [192.168.1.0,192.168.1.2:255]
-------------



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Exclude one IP John Friedman (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
  - Re: Exclude one IP Matt Kettler (Nov 01)
    - Re: Exclude one IP Joel Esler (Nov 01)
    - Re: Exclude one IP Joel Esler (Nov 01)
    - Re: Exclude one IP Paul Schmehl (Nov 01)
    - Re: Exclude one IP Joel Esler (Nov 01)
    - Re: Exclude one IP Matt Kettler (Nov 01)
    - Re: Exclude one IP Joel Esler (Nov 01)
    - Re: Exclude one IP Matt Kettler (Nov 01)
    - RE: Exclude one IP Paul Melson (Nov 02)
    - Re: Exclude one IP Joel Esler (Nov 02)