[Snort-users] variable question

Matt Kettler mkettler at ...4108...
Tue Jun 10 11:19:09 EDT 2003


At 10:05 AM 6/10/2003 -0400, Mike Ellis wrote:
>My EXTERNAL_NET variable looks like this in my snort.conf file:
>
>var EXTERNAL_NET ![$HOME_NET,$NCREN]
>
>I have defined HOME_NET and NCREN prior to establishing the EXTERNAL_NET
>variable.  What I want to do is have my EXTERNAL_NET look at all things
>except for HOME_NET and NCREN.  Can someone let me know if, as it is
>written above, the variable statement should work?


The statement you list should work properly and as expected, provided that 
$NCREN and $HOME_NET are defined and are valid in syntax.

A common mistake people often make is a basic boolean logic mistake.. you 
often see people write things like:

var EXTERNAL_NET [!$HOME_NET,!$NCREN]

Which looks correct at casual glance, but is incorrect, since if NCREN and 
HOME_NET are non-intersecting, it is the same as "any". But you didn't make 
that mistake.

Congratulations, you understand basic boolean operations better than most :)


>Also, is there a command I can run to see what snort thinks my
>EXTERNAL_NET variable is?

Snort variables aren't really variables at all.. AFAIK they are implemented 
as literal text substitution, so they are more akin to C's #define than a 
variable.

I don't think there is a command to show what a var statement is, but a bit 
of copy-paste should show what it winds up being.









More information about the Snort-users mailing list