[Snort-users] Question about negated and non-negated variables in rules

J-H. Johansen corinth at ...4741...
Thu Nov 27 08:51:02 EST 2003


J-H. Johansen wrote:

> Hi,
> 
> I'm working on some ICMP rules and was wondering
> Recently I added a variable which contains our homenet with exclusions:
> 
> var NOT_ICMP_SERVERS [$HOME_NET,!xxx.xxx.xx.xxx/32,!xxx.xx.xx.xx/32]
> 
> This failed while running a check so I've also tried:
> 
> var ICMP_WHITELIST [xxx.xxx.xx.xxx/32,xxx.xx.xx.xx/32]
> var NOT_ICMP_SERVERS $HOME_NET !$ICMP_WHITELIST
> 
> this one doesn't fail but it doesn't work either.
> 
> var ICMP_WHITELIST [xxx.xxx.xx.xxx/32,xxx.xx.xx.xx/32]
> var NOT_ICMP_SERVERS [$HOME_NET,!$ICMP_WHITELIST]
> 
> fails as well.
> 
> Any clues as to how this must be done ?
> 

And does anyone have a clue why bigbrother sent me this reply when I 
sent this mail ?


Subject: Symantec Mail Security detected that you sent a message 
containing prohibited content
From: admin at ...10183...

Subject of the message: [Snort-users] Question about negated and 
non-negated variables in rules
Recipient of the message: "snort-users at lists.sourceforge.net" 
<snort-users at lists.sourceforge.net>

jens:H




More information about the Snort-users mailing list