[Snort-users] Multiple HOME_NET IP's
dr at ...50...
Sat Aug 12 00:34:16 EDT 2000
On Fri, 11 Aug 2000, Fyodor wrote:
> ~ :How about 2 Completely different HOME_NET subnets, such as 192.168.0.0/24 and 10.0.0.0/8, how would I get this done? Will some sort of Boolean And work inside the variable, it seems that the rules will/should interpret correctly, but I could be wrong.
> nope. as for the moment you will have to include ruleset twice with
> different values of HOME_NET, it might be a subject to be changed though,
> if we come with a `smart' idea how to do so :)
I've wondered about this too.
Why not make the address rules type a more complex type with a list of
addresses and netmasks to be compared to. (shouldn't be a big performance
hit, and much less than using double the number of rules).
As far as the rules syntax, you could make addresses including a comma
and no whitespace, complex-multi-part-addresses. I.e.
dursec.com ltd. / kyx.net - we're from the future http://www.dursec.com
More information about the Snort-users