[Snort-users] Multiple HOME_NET IP's
jburnes at ...75...
Fri Aug 11 14:01:10 EDT 2000
On Sat, 12 Aug 2000, Fyodor wrote:
> ~ :Greetings,
> ~ :
> ~ :How about 2 Completely different HOME_NET subnets, such as 192.168.0.0/24 and 10.0.0.0/8, how would I get this done? Will some sort of Boolean And work inside the variable, it seems that the rules will/should interpret correctly, but I could be wrong.
> ~ :
Well there is a preprocessor plugin that converts everything to a 10 net
and the a corresponding output plugin that translate back again. Downside
is if you have 10 net space that overlaps that.
Only clean fix is to hack the code and let src/dst compares be done
on a list instead of only one address.
I've looked at the source code. It shouldn't be that hard.
More information about the Snort-users