[Snort-users] simple question
rdesmond at ...6547...
Thu Oct 10 08:13:33 EDT 2002
At 04:22 PM 10/7/02 -0500, Steve Halligan wrote:
>Well, you can run snort like this:
>snort [your options] host !A.B.C.100
Works, also, "snort <options> not host a.b.c.100"
>You can add a -o to the command line and make a pass rule like:
>pass ip any any -> A.B.C.100 any
Works on inbound. Will still alert on any trouble .100 causes, but this is
probably a good thing.
>you can make your HOME_NET:
>var HOME_NET [A.B.C.0/24,!A.B.C.100]
I don't think this will work. If my thinking is correct, the comma
delimitation basically works as an OR. So what you have is [a.b.c.0/24 OR
(NOT a.b.c.100)], which is basically defining it as "any" in a fun little
roundabout way. I wish this would work though.
UCSB Extended Learning Services
More information about the Snort-users