[Snort-users] Status update

roesch roesch at ...421...
Sat Nov 18 03:26:02 EST 2000


Hi everyone,
     Sorry for my lack of participation this week, I've been out on the west coast for some meetings.  
     I'm in the process of putting up a new set of code into CVS that's got a major new piece: IP lists.  That's right, you can finally issue a list of IP addresses in a Snort rule.  About damn time, huh? :)
     Anyway, to use it you have to enclose the address list in square brackets and separate the addresses with commas.  Note that you can't put spaces between the addresses right now, it confuses the parser.  Here's an example of the format:

     [10.1.1.0/24,192.168.1.0/24]

If you used it in a var, it'd look like this:

var FOO [10.1.1.0/24,192.168.1.0/24]

alert tcp any any -> $FOO any (flags: SF; msg: "FOO!";)

Anyway, have a look at it when you get a chance and let me know how it works!

I'll be back home on Sunday night (EST) at which point I will try to answer the mountain of e-mail I've gotten this week.  If you have any problems with the code, just remember it's still beta. :)

     -Marty

--
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list