[Snort-devel] ipvar: double negation should logically result in inclusion

Cees celzinga at ...2499...
Wed Jun 4 02:49:14 EDT 2008

> So the more general statement of the problem is that, "Negated IP
> ranges that are equal to or are more-general than non-negated ranges
> are not allowed.".

Yes indeed, thanks for clarifying!

> > Why wouldn't you just define
> > ipvar EXTERNAL_NET [!,!,[,]]
> Your example fails if any rule references "!$EXTERNAL_NET".

This fails, even in it's original declaration, since ! is
more general than [,].

More information about the Snort-devel mailing list