[Snort-devel] [Snort-users] "!" not acceptable in rules.base? (fwd)

Fyodor fygrave at ...1...
Mon Sep 25 21:01:51 EDT 2000

I don't remember if we ever allowed to have `!' for the host, but it makes
sense to have it, I guess :-) (will try to cook a patch when get some
free time, if noone would come to this earlier :))


---------- Forwarded message ----------
Date: Mon, 25 Sep 2000 16:02:27 -0400 (EDT)
From: Geoffrey Goodrum <ggoodrum at ...67...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] "!" not acceptable in rules.base?

Sorry if this has been answered before, but I'm new to the list and did
not find it in the archives for the past month.

I am using kernel v2.2.16 on Red Hat Linux v6.1 (i386).

I've been using snort v1.6.0 from the Red Hat RPM on whitehats.com since
May. I just downloaded and installed v1.6.3 from the SRPM on the snort.org

The rules.base file created by the RPM installation puts double quotes
around the INTERNAL var IP address (var INTERNAL ""/32),
which results in the messages log entry:

Sep 25 15:16:53 perigee snort: ERROR /etc/snort/vision.rules (1) => Rule
IP addr ("") didn't x-late, WTF? 

and snort dies.  I fixed that by removing the quotes.  I also
wanted INTERNAL to be everything in my subnet, so I now have:


and that seems to work.

However, I want EXTERNAL to be everything not INTERNAL (like the
vision.conf setting), not "any" as specified in the rules.base.  
Following the documented snort IP Address convention, I use:


but this also gives:

Sep 25 14:50:11 perigee snort: ERROR /etc/snort/rules.base (6) => Rule IP
addr ("!") didn't x-late, WTF? 

Bottom line is I want EXTERNAL to be everything outside my subnet,
otherwise my internal Big Brother network scans get logged.  What
is the correct syntax?



Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-devel mailing list