Snort mailing list archives
Re: Exclude one IP
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 01 Nov 2005 19:05:14 -0500
Joel Esler wrote:
Matt, Thanks for your email, however, var HOME_NET [10.1.10.0/24,!10.1.10.24] var EXTERNAL_NET !$HOME_NET Will make HOME_NET everything in that range the HOME_NET except for that one machine,
For reference, me and Joel emailed a bit off-list, and Joel also emailed Nigel. The above statement is untrue. [10.1.10.0/24,!10.1.10.24] is the logical equivalent of "any". It matches all IP addresses. Period. The , operator is additive and an IP can match any one of the items in the list and be considered included. You can never reduce the number of IPs matched by a range using this method, you can only increase it. Thus the above example 10.1.10.24 will match because of the first half. Every other IP in the address space will match the second half. Your effective IP space is the combination of both sets, not the subtraction of one IP from the other set. If your objective is to ignore a host, don't do it this way, see the FAQ: http://www.snort.org/docs/faq/1Q05/node38.html If you *really* need to create an IP list for HOME_NET that excludes one host, you'll have to build it up using a series ranges that do not include that host. One undocumented feature that makes this easier is the : operator, which allows you to create ranges that are not bitmasks. Quoting Nigel: -------------- e.g. To exclude the 192.168.1.1 address from it's /24 subnet: var HOME_NET [192.168.1.0,192.168.1.2:255] ------------- ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exclude one IP John Friedman (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Paul Schmehl (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)
- Re: Exclude one IP Matt Kettler (Nov 01)
- RE: Exclude one IP Paul Melson (Nov 02)
- Re: Exclude one IP Joel Esler (Nov 02)
- Re: Exclude one IP Matt Kettler (Nov 01)
- Re: Exclude one IP Joel Esler (Nov 01)