[Snort-users] External Subnets

Matt Kettler mkettler at ...4108...
Tue Nov 25 16:43:05 EST 2003


At 07:10 PM 11/25/2003, adam_peterson at ...10608... wrote:
>  it possible to specify a negative variable value for a variable?  Meaning:
>
>var EXTERNAL_NET        !HOME_NET
>
>The bang is just an idea of something that would negate the value so that 
>my external_net variable would be any ip/subnet that isn't part of the 
>home_net variable.  Is there anything in place to allow for this?  Could 
>there be?  Since so many of the rules are based on the external_net 
>variable, it's very frustrating that it must be set to ANY for my 
>configurations because I can't specifiy every subnet on the Internet...or 
>can I?

Yes, you can do that.. lots of people use that exact setting.

1) make sure HOME_NET has proper braces around it if it's multiple IP ranges.
2) make sure HOME_NET isn't "any".. because !any is nothing.






More information about the Snort-users mailing list