[Snort-users] Multiple IP address matching
dr at ...381...
Thu Sep 21 04:30:38 EDT 2000
On Wed, 20 Sep 2000, Kris Kennaway wrote:
> Hi there,
> As far as I can tell, snort doesn't have the capability to match on a
> list of IP addresses, only on a single CIDR block or the negation of
> that block.
> For my purposes, I have a number of machines which are part of a
> larger class B subnet (not contained within a smaller address block),
> and I want to be able to treat other machines on that class B as being
> external. I don't think there's any current way to do this, which
> means I either have to put up with snort traffic between my "internal"
> machines being logged as suspicious, or trust the entire class B and
> hope no-one else is poking at my machines.
> Does anyone have any suggestions?
The standard solution is to use multiple sets of rules in the same
file with duplicate rules for each block, i.e.:
HOME_NET = blah
HOME_NET = foo
But the good news is that this is such an oft requested task
that it's on the development todo list to change the address
type to a list of addresses. I've been looking over how to
implement this, and if Marty or Fyodor don't tackle it before
I do, I plan on upgrading my snorters with this capability within
the next few releases because I need this feature too.
I would also like to convert the port types to ranges too...
Dragos Ruiu <dr at ...50...> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net
More information about the Snort-users