[Snort-users] Multiple HOME_NET IP's

Jim Burnes jburnes at ...75...
Fri Aug 11 14:01:10 EDT 2000


On Sat, 12 Aug 2000, Fyodor wrote:

> 
> ~ :Greetings,
> ~ :
> ~ :How about 2 Completely different HOME_NET subnets, such as   192.168.0.0/24 and 10.0.0.0/8, how would I get this done?   Will some sort of Boolean And work inside the variable, it seems that the rules will/should interpret correctly, but I could be wrong.   
> ~ :
> 

Well there is a preprocessor plugin that converts everything to a 10 net
and the a corresponding output plugin that translate back again.  Downside
is if you have 10 net space that overlaps that.  

Only clean fix is to hack the code and let src/dst compares be done
on a list instead of only one address.

I've looked at the source code.  It shouldn't be that hard.

jim burnes






More information about the Snort-users mailing list