[Snort-users] Multiple HOME_NET IP's

Dragos Ruiu dr at ...50...
Sat Aug 12 00:34:16 EDT 2000


On Fri, 11 Aug 2000, Fyodor wrote:
> ~ :How about 2 Completely different HOME_NET subnets, such as   192.168.0.0/24 and 10.0.0.0/8, how would I get this done?   Will some sort of Boolean And work inside the variable, it seems that the rules will/should interpret correctly, but I could be wrong.    
>  nope. as for the moment you will have to include ruleset twice with
> different values of HOME_NET, it might be a subject to be changed though,
> if we come with a `smart' idea how to do so :)

I've wondered about this too.

Why not make the address rules type a more complex type with a list of
addresses and netmasks to be compared to. (shouldn't be a big performance
hit, and much less than using double the number of rules).

As far as the rules syntax, you could make addresses including a comma
and no whitespace, complex-multi-part-addresses. I.e.

10.1.1.0/24

and

10.2.2.0/24,10.1.1.0/24,192.168.0.0/16

Opinions?

--dr

 -- 
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com




More information about the Snort-users mailing list