[Snort-users] simple question

Robby Desmond rdesmond at ...6547...
Thu Oct 10 08:13:33 EDT 2002

At 04:22 PM 10/7/02 -0500, Steve Halligan wrote:
>Well, you can run snort like this:
>snort [your options] host !A.B.C.100

Works, also, "snort <options> not host a.b.c.100"

>You can add a -o to the command line and make a pass rule like:
>pass ip any any -> A.B.C.100 any

Works on inbound. Will still alert on any trouble .100 causes, but this is 
probably a good thing.

>you can make your HOME_NET:
>var HOME_NET [A.B.C.0/24,!A.B.C.100]

I don't think this will work.  If my thinking is correct, the comma 
delimitation basically works as an OR.  So what you have is [a.b.c.0/24 OR 
(NOT a.b.c.100)], which is basically defining it as "any" in a fun little 
roundabout way. I wish this would work though.


Robert Desmond
Systems Administrator
UCSB Extended Learning Services

