Snort mailing list archives
Re: Snort home net and external net question
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 03 Sep 2010 13:58:56 -0400
On 9/3/2010 13:01, Andy Berryman wrote:
I tried that, but am getting an error. I’m running 2.8.6.0 Sep 3 16:51:33 (none) snort[18415]: FATAL ERROR: /snort/conf/general.rules(1) Negated IP ranges that are equal to or are more general than non-negated ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET.
reading the above, i would say that it is because your HOME_NET is more general (wider range) than the non-negated range (the /24)... it may also be that because the non-negated one is within the negated one that it is whining...
var HOME_NET [10.215.0.0/16] var EXTERNAL_NET [10.215.40.0/24,!$HOME_NET] Is it b/c my home net is a /16 and the external net I’m trying to add is a /24?
not that i can see and definitely not by the text used in the error message...
Thanks, Andy *From:* Joel Esler [mailto:jesler () sourcefire com] *Sent:* Friday, September 03, 2010 11:53 AM *To:* Andy Berryman *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Snort home net and external net question On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote: If I have my home net of snort set to: var HOME_NET [10.215.0.0/16] How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet? With recent versions of Snort, you can do positives and negatives in the same variable, but the more specific entry needs to come first. var HOME_NET [10.215.0.0/16] var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET] Should work.
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 03)
- Re: Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 03)
- Re: Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 04)
- Re: Snort home net and external net question waldo kitty (Sep 04)
- Re: Snort home net and external net question Jason Wallace (Sep 03)