[Snort-devel] ipvar: double negation should logically result in inclusion

Cees celzinga at ...2499...
Wed Jun 4 02:49:14 EDT 2008


> So the more general statement of the problem is that, "Negated IP
> ranges that are equal to or are more-general than non-negated ranges
> are not allowed.".

Yes indeed, thanks for clarifying!

>
> > Why wouldn't you just define
> > ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]
>
> Your example fails if any rule references "!$EXTERNAL_NET".

This fails, even in it's original declaration, since !2.2.2.0/24 is
more general than [2.2.2.2,2.2.2.3].




More information about the Snort-devel mailing list