[Snort-users] variable question
mkettler at ...4108...
Tue Jun 10 11:19:09 EDT 2003
At 10:05 AM 6/10/2003 -0400, Mike Ellis wrote:
>My EXTERNAL_NET variable looks like this in my snort.conf file:
>var EXTERNAL_NET ![$HOME_NET,$NCREN]
>I have defined HOME_NET and NCREN prior to establishing the EXTERNAL_NET
>variable. What I want to do is have my EXTERNAL_NET look at all things
>except for HOME_NET and NCREN. Can someone let me know if, as it is
>written above, the variable statement should work?
The statement you list should work properly and as expected, provided that
$NCREN and $HOME_NET are defined and are valid in syntax.
A common mistake people often make is a basic boolean logic mistake.. you
often see people write things like:
var EXTERNAL_NET [!$HOME_NET,!$NCREN]
Which looks correct at casual glance, but is incorrect, since if NCREN and
HOME_NET are non-intersecting, it is the same as "any". But you didn't make
Congratulations, you understand basic boolean operations better than most :)
>Also, is there a command I can run to see what snort thinks my
>EXTERNAL_NET variable is?
Snort variables aren't really variables at all.. AFAIK they are implemented
as literal text substitution, so they are more akin to C's #define than a
I don't think there is a command to show what a var statement is, but a bit
of copy-paste should show what it winds up being.
More information about the Snort-users