[Snort-sigs] Basic question [] syntax question about excluding a subnet of a larger subnet...

Gentoo-Wally gentoowally at ...2420...
Thu Mar 16 12:39:03 EST 2006


Question...

What is the correct way to exclude a subnet from a larger network in a
signature?

var NET1 10.0.0.0/8
var NET2 10.7.0.0/16
var NET3 10.14.0.0/16

alert tcp [$NET1,!$NET2] ANY -> $NET3 ANY ...blah, blah, blah...

Is that the right way to watch for something from NET1 but not in NET2 going
to NET3??? I've seen sigs that do ![$NET2,$NET3] before but I have never
seen one where the ! was in the []. I could not find any examples of using a
! in [] so I'm not sure if this syntax is correct.

If it is not correct in a sig then is it correct in a var???

 var NET1 10.0.0.0/8
var NET2 10.7.0.0/16
var NET3 10.14.0.0/16
var NOTNET2 [$NET1,!$NET2]

then...

 alert tcp $NOTNET2 ANY -> $NET3 ANY ...blah, blah, blah...



Thx,
Wally
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060316/660570ce/attachment.html>


More information about the Snort-sigs mailing list