[Snort-users] (no subject)

Erek Adams erek at ...577...
Sun Apr 8 15:08:25 EDT 2001


On Sun, 8 Apr 2001, Rino Mardo wrote:

> What exactly does the "!" in !HOME_NET mean?  It's confusing to look at it
> because it seems to tell "not xx.xx.xx.xx" where xx = to the internal
> network.  Is that it?  Are we meant to supply the same ip address in
> HOME_NET and !HOME_NET ?  For example, if my internal network is
> 192.168.2.0/24 then both variables should hold the same value?

The ! in !HOME_NET is a 'negation' operator.  Think about it like this:
My_Name is Erek.  Your_Name is Not Erek.  Therefore Your_name = !My_Name.
(Ug...  I sound like my Logic teacher, Aieee! ;-) )

It's just a simpler way to say "This is my Home Network" and "Everything else
is not".  It might make it easier to look at the rules and think about the
substitution that's taking place.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (....)

The rule snippit above would translate into:

alert tcp !10.20.30.0/24 any -> 10.20.30.0/24 any (...)

Or into 'Any tcp packet on any port from outside of your network going to any
port on your local net'.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list