[Snort-devel] ipvar: double negation should logically result in inclusion
celzinga at ...2499...
Wed Jun 4 02:49:14 EDT 2008
> So the more general statement of the problem is that, "Negated IP
> ranges that are equal to or are more-general than non-negated ranges
> are not allowed.".
Yes indeed, thanks for clarifying!
> > Why wouldn't you just define
> > ipvar EXTERNAL_NET [!220.127.116.11/32,!18.104.22.168/24,[22.214.171.124,126.96.36.199]]
> Your example fails if any rule references "!$EXTERNAL_NET".
This fails, even in it's original declaration, since !188.8.131.52/24 is
more general than [184.108.40.206,220.127.116.11].
More information about the Snort-devel