[Snort-devel] ipvar: double negation should logically result in inclusion

Jason Brvenik jasonb at ...402...
Tue Jun 3 12:21:41 EDT 2008



> This should logically result in: "All IP addresses MINUS (1.1.1.1 
> <http://1.1.1.1> and IP from 2.2.2.0 <http://2.2.2.0> to 2.2.2.255 
> <http://2.2.2.255> EXCEPT 2.2.2.2 <http://2.2.2.2> and 2.2.2.3 
> <http://2.2.2.3>)", however, it is not supported:
> 


Why wouldn't you just define

ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]




More information about the Snort-devel mailing list