Re: [$HOME_NET, !192.168.1.222, !192.168.1.223] ? (subnet except specific IPs)

["Yakov Lerner" <iler.ml () gmail com>]

On 8/7/07, Jason <security () brvenik com> wrote:
> Yakov Lerner wrote:
> > On 8/7/07, *Jason* <security () brvenik com <mailto:security () brvenik com>>
> > wrote:
> >
> >
> >
> >     Yakov Lerner wrote:
> >     > On 8/7/07, Matt Kettler <mkettler () evi-inc com
> >     <mailto:mkettler () evi-inc com>> wrote:
> >     >> Yakov Lerner wrote:
> >     >>> On 8/7/07, *Matt Kettler* < mkettler () evi-inc com
> >     <mailto:mkettler () evi-inc com>
> >     >>> <mailto:mkettler () evi-inc com <mailto:mkettler () evi-inc com>>>
> wrote:
> >     >>>
> >     >>>     Yakov Lerner wrote:
> >     >>>     > Does this do what I'm thinking it would do:
> >     >>>     >     [$HOME,!192.168.1.222,!192.168.1.223]
> >     >>>     > , that is, subnet except specific IPs ?
> >     >>>
> >     >>>     No, that subnets the entire world.
> >     >>>
> >     >>>     The commas are effectively "OR" statements, so just this
> part:
> >     >>>     [!192.168.1.222,!192.168.1.223] will match any IP address.
> >     >>>
> >     >>>     Anything that is not 192.168.1.222 <http://192.168.1.222>
> >     <http://192.168.1.222> OR
> >     >>>     anything that is not 192.168.1.223 <http://192.168.1.223> <
> >     http://192.168.1.223>.
> >     >>>
> >     >>>     The first clause will match all IPs except 192.168.1.222
> >     <http://192.168.1.222>
> >     >>>     <http://192.168.1.222 <http://192.168.1.222>>, and the
> >     second clause
> >     >>>     will match  192.168.1.222 <http://192.168.1.222>
> >     <http://192.168.1.222>, among many others.
> >     >>>     The net result is everything.
> >     >>>
> >     >>>
> >     >>>
> >     >>> Is there solution/expression that matches the
> >     >>>          "given subnet except given list of IPs" ?
> >     >> No, other than adding up other subnets to create the equivalent.
> >     >
> >     > Are there IP RANGES, like [IP-IP] or maybe [IP:IP] ?
> >     >
> >     > Yakov
> >
> >     ?!?
> >
> >     $HOME_NET = [!192.168.1.222/31]
> >
> >
> > Yes, my original example was not good.
> > The real case is /8 subnet minus (exclude) set of 20 random IPs on it.
> > And set of IPs varies per rule. Are there IP RANGES, like [IP-IP] or
> > maybe [IP:IP] ?
> >
> > Yakov
>
> Because of the "OR" nature, you cannot do it as an exclusion. You would
> have to split your networks into chunks and include them specifically.


Can I specify "chunks" as ranges ? For example,
to specify subnet 192.168.1.0/8 excluding 192.168.1.55 and 192.168.1.227,
can I say
[192.168.1.0-192.168.1.54,192.168.1.56-192.168.1.2266,
192.168.1.228-192.168.1.255]
? Is this valid syntax ?

Yakov

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users