[Snort-users] simple question

Robby Desmond rdesmond at ...6547...
Thu Oct 10 08:13:33 EDT 2002


At 04:22 PM 10/7/02 -0500, Steve Halligan wrote:
>Well, you can run snort like this:
>
>snort [your options] host !A.B.C.100

Works, also, "snort <options> not host a.b.c.100"

>or
>
>You can add a -o to the command line and make a pass rule like:
>
>pass ip any any -> A.B.C.100 any

Works on inbound. Will still alert on any trouble .100 causes, but this is 
probably a good thing.

>or
>
>you can make your HOME_NET:
>
>var HOME_NET [A.B.C.0/24,!A.B.C.100]

I don't think this will work.  If my thinking is correct, the comma 
delimitation basically works as an OR.  So what you have is [a.b.c.0/24 OR 
(NOT a.b.c.100)], which is basically defining it as "any" in a fun little 
roundabout way. I wish this would work though.

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list