[Snort-users] Multiple IP address matching

Dragos Ruiu dr at ...381...
Thu Sep 21 04:30:38 EDT 2000

On Wed, 20 Sep 2000, Kris Kennaway wrote:
> Hi there,
> As far as I can tell, snort doesn't have the capability to match on a
> list of IP addresses, only on a single CIDR block or the negation of
> that block.
> For my purposes, I have a number of machines which are part of a
> larger class B subnet (not contained within a smaller address block),
> and I want to be able to treat other machines on that class B as being
> external. I don't think there's any current way to do this, which
> means I either have to put up with snort traffic between my "internal"
> machines being logged as suspicious, or trust the entire class B and
> hope no-one else is poking at my machines.
> Does anyone have any suggestions?

The standard solution is to use multiple sets of rules in the same 
file with duplicate rules for each block, i.e.:

HOME_NET = blah
rules a
rules b
rules c
HOME_NET = foo
rules a
rules b
rules c

But the good news is that this is such an oft requested task
that it's on the development todo list to change the address
type to a list of addresses.  I've been looking over how to 
implement this, and if Marty or Fyodor don't tackle it before 
I do, I plan on upgrading my snorters with this capability within 
the next few releases because I need this feature too.

I would also like to convert the port types to ranges too...


Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net

More information about the Snort-users mailing list