[Snort-users] External Subnets
mkettler at ...4108...
Tue Nov 25 16:43:05 EST 2003
At 07:10 PM 11/25/2003, adam_peterson at ...10608... wrote:
> it possible to specify a negative variable value for a variable? Meaning:
>var EXTERNAL_NET !HOME_NET
>The bang is just an idea of something that would negate the value so that
>my external_net variable would be any ip/subnet that isn't part of the
>home_net variable. Is there anything in place to allow for this? Could
>there be? Since so many of the rules are based on the external_net
>variable, it's very frustrating that it must be set to ANY for my
>configurations because I can't specifiy every subnet on the Internet...or
Yes, you can do that.. lots of people use that exact setting.
1) make sure HOME_NET has proper braces around it if it's multiple IP ranges.
2) make sure HOME_NET isn't "any".. because !any is nothing.
More information about the Snort-users