Snort mailing list archives

Re: Snort home net and external net question

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 04 Sep 2010 02:31:58 -0400

On 9/3/2010 13:41, Joel Esler wrote:

Check out README.variables in the doc/ directory of the tarball.


if it really works as described sure... bt we've found numerous instances of the 
verbiage saying one thing but the actual results are something else haven't we ;)



On Sep 3, 2010, at 1:01 PM, Andy Berryman wrote:

I tried that, but am getting an error. I’m running 2.8.6.0
Sep 3 16:51:33 (none) snort[18415]: FATAL ERROR: /snort/conf/general.rules(1)
Negated IP ranges that are equal to or are more general than non-negated
ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET.
var HOME_NET [10.215.0.0/16]
var EXTERNAL_NET [10.215.40.0/24,!$HOME_NET]
Is it b/c my home net is a /16 and the external net I’m trying to add is a /24?
Thanks,
Andy
*From:* Joel Esler [mailto:jesler () sourcefire com]
*Sent:* Friday, September 03, 2010 11:53 AM
*To:* Andy Berryman
*Cc:* snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>
*Subject:* Re: [Snort-users] Snort home net and external net question
On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:


If I have my home net of snort set to:
var HOME_NET [10.215.0.0/16]
How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?
With recent versions of Snort, you can do positives and negatives in the same
variable, but the more specific entry needs to come first.
var HOME_NET [10.215.0.0/16]
var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET]
Should work.




------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort home net and external net question, (continued)
- Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 03)
  - Re: Snort home net and external net question Andy Berryman (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question Joel Esler (Sep 03)
    - Re: Snort home net and external net question Andy Berryman (Sep 03)
    - Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question Joel Esler (Sep 04)
    - Re: Snort home net and external net question waldo kitty (Sep 04)
  - Re: Snort home net and external net question waldo kitty (Sep 03)
    - Re: Snort home net and external net question Jason Wallace (Sep 03)
    - Re: Snort home net and external net question waldo kitty (Sep 03)