Re: Exclude one IP

[Joel Esler <joel.esler () sourcefire com>]

I don't think it's undocumented, maybe it's just not as obvious..   
you can do port ranges as such: (80:8080) which means port 80 through  
8080, so the IP method is similar.  I know this is a confusing point,  
I've seen it asked before, and we'll try and get it into the FAQ)

Joel



On Nov 1, 2005, at 7:05 PM, Matt Kettler wrote:

> Joel Esler wrote:
> > Matt,
> >
> > Thanks for your email, however,
> >
> > var HOME_NET [10.1.10.0/24,!10.1.10.24]
> > var EXTERNAL_NET !$HOME_NET
> >
> > Will make HOME_NET everything in that range the HOME_NET except  
> > for that
> > one machine,
>
> For reference, me and Joel emailed a bit off-list, and Joel also  
> emailed Nigel.
> The above statement is untrue.
>
> [10.1.10.0/24,!10.1.10.24] is the logical equivalent of "any". It  
> matches all IP
> addresses. Period.
>
> The , operator is additive and an IP can match any one of the items  
> in the list
> and be considered included. You can never reduce the number of IPs  
> matched by a
> range using this method, you can only increase it.
>
> Thus the above example 10.1.10.24 will match because of the first  
> half. Every
> other IP in the address space will match the second half. Your  
> effective IP
> space is the combination of both sets, not the subtraction of one  
> IP from the
> other set.
>
> If your objective is to ignore a host, don't do it this way, see  
> the FAQ:
>
>  http://www.snort.org/docs/faq/1Q05/node38.html
>
>
>
> If you *really* need to create an IP list for HOME_NET that  
> excludes one host,
> you'll have to build it up using a series ranges that do not  
> include that host.
>   One undocumented feature that makes this easier is the :  
> operator, which
> allows you to create ranges that are not bitmasks.
>
>
>
> Quoting Nigel:
> --------------
> e.g. To exclude the 192.168.1.1 address from it's /24 subnet:
>
>  var HOME_NET [192.168.1.0,192.168.1.2:255]
> -------------
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.  
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users