Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HOME_NET Clarification

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 29 Oct 2004 16:32:10 -0400
At 12:24 PM 10/22/2004, Ilango S Allikuzhi wrote:
Is it possible to define HOME_NET as [!10.40.1.0/24, !10.40.2.0/24, 10.0.0.0/8, 192.168.1.0/24] for instance? 
In other words, we want all subnets under 10 except a few.


As a more specific response than the one generated by Joel:

No. You can't create an IP range with holes in it like that using snort.
Snort basically treats the commas as a logical OR operation. If an IP matches any one of the entries in the list it is a match, regardless of what any other entries might be.
You'd want some kind of logical AND operation ie: 10.0.0.0/8 AND !10.40.1.0/24. But that would involve some fancier syntax than snort supports.
Side note: Your example is identical in function to "any", as it will match any IP address in the entire range of IPs. [!10.40.1.0/24, !10.40.2.0/24] or any other two non-overlapping negated ranges in the list will create the same effect. This is a very common mistake. 





-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: