[Snort-users] Question about negated and non-negated variable s in rules

corinth corinth at ...4741...
Fri Nov 28 00:31:02 EST 2003


Topi Ylinen wrote:

> You'll probably have received a number of replies already, but here's one
> more.
>
> 1) From the Snort faq:
> "Note that the negation operator does not work inside a list so the
> following
> will NOT work:
>
>     var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]
>
> but this will work:
>
>     var EXTERNAL_NET ![192.168.40.0/24,10.14.0.0/16]"
>
> 2) Also note that the list operator (",") is a disjunction ("OR"), not a
> conjunction ("AND").
> I.e., if you say "!AAA.BBB.CCC.DDD/32,!EEE.FFF.GGG.HHH/32", an IP address
> can only fail this condition if AAA.BBB.CCC.DDD == EEE.FFF.GGG.HHH (you
> are effectively saying, "if this IP is not from A *OR* is not from B")
>
> --
> T.
>
>
> 
Thanks, I tried to RTFM but I couldn't find anything about combining two 
variables though, which is the main problem. Since I have a non-negated 
variable and one negated variable how can I combine these two ?

Your reply is the first, btw =)

jens:H





More information about the Snort-users mailing list