Snort mailing list archives
Re: Re: Snort-users digest, Vol 1 #5192 - 5 msgs
From: Jason Brvenik <jasonb () sourcefire com>
Date: Thu, 14 Jul 2005 13:38:43 -0400
![IP=155.200.2.10,!$HOME_NET] where HOME_NET= [155.200.2.0/24,155.200.3.0/24]will not work since variables are essentially substitutions. What you end up with is
IP=![155.200.2.10,![155.200.2.0/24,155.200.3.0/24]] ( assuming the orig was a typo )An inclusion with a subset negation will almost always evaluate to an undesired result as well.
10.1.1.0/8,!10.1.2.3/32 will always be !10.1.2.3/32 for everything but 10.1.2.3 itself.
If you have a rule you want to exclude from alerting you should either use a pass rule to cause that traffic to be ignored completely, a BPF to ignore the select host completely, or a suppression to filter out the alerts.
Paul Melson wrote:
What does the rule syntax for using one affirmative and on negative value look like?-----Original Message----- Subject: Re: [Snort-users] Re: Snort-users digest, Vol 1 #5192 - 5 msgs If you want to filter out one host, then you make the var: var HOMENETFORRULE1234ONLY [x.x.x.x/32] --On Thursday, July 14, 2005 02:51:13 +0800 Simon Yip <simon388 () netvigator com> wrote:That could be a solution while I hope to have something like ![IP=155.200.2.10,!$HOME_NET] I have tried my above expression in a rule but it just give me a fatal error.where HOME_NET= [155.200.2.0/24,155.200.3.0/24]------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #5192 - 5 msgs Simon Yip (Jul 13)
- Re: Re: Snort-users digest, Vol 1 #5192 - 5 msgs Paul Schmehl (Jul 13)
- RE: Re: Snort-users digest, Vol 1 #5192 - 5 msgs Paul Melson (Jul 14)
- Re: Re: Snort-users digest, Vol 1 #5192 - 5 msgs Jason Brvenik (Jul 14)
- RE: Re: Snort-users digest, Vol 1 #5192 - 5 msgs Paul Melson (Jul 14)
- Variable to specify 2 networks and exclude 1 host - How? Simon Yip (Jul 14)
- Re: Variable to specify 2 networks and exclude 1 host - How? Matt Kettler (Jul 14)
- Re: Re: Snort-users digest, Vol 1 #5192 - 5 msgs Paul Schmehl (Jul 13)