Snort mailing list archives

Re: Snort home net and external net question

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 3 Sep 2010 13:41:38 -0400

Check out README.variables in the doc/ directory of the tarball.


On Sep 3, 2010, at 1:01 PM, Andy Berryman wrote:

I tried that, but am getting an error. I’m running 2.8.6.0
 
Sep  3 16:51:33 (none) snort[18415]: FATAL ERROR: /snort/conf/general.rules(1) Negated IP ranges that are equal to or 
are more general than non-negated ranges are not allowed.  Consider inverting the logic: $EXTERNAL_NET.
 
var HOME_NET [10.215.0.0/16]
var EXTERNAL_NET [10.215.40.0/24,!$HOME_NET]
 
Is it b/c my home net is a /16 and the external net I’m trying to add is a /24?
 
 
Thanks,
Andy
 
 
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Friday, September 03, 2010 11:53 AM
To: Andy Berryman
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort home net and external net question
 
On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:


If I have my home net of snort set to:
 
var HOME_NET [10.215.0.0/16]
 
How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?
 
 
With recent versions of Snort, you can do positives and negatives in the same variable, but the more specific entry 
needs to come first.
 
var HOME_NET [10.215.0.0/16]
var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET]
 
Should work.
 
Joel
 
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the 
recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the 
intended recipient, you are hereby notified that you have received this message in error and that any review, 
disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received 
this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 
or by return e-mail.

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 03)
  - Re: Snort home net and external net question Andy Berryman (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question Joel Esler (Sep 03)
    - Re: Snort home net and external net question Andy Berryman (Sep 03)
    - Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question Joel Esler (Sep 04)
    - Re: Snort home net and external net question waldo kitty (Sep 04)
  - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question Jason Wallace (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)