[Snort-users] Question about negated and non-negated variables in rules

Matt Kettler mkettler at ...4108...
Fri Nov 28 12:02:05 EST 2003


At 02:49 PM 11/28/2003, Jens-Harald Johansen wrote:
>Thanks Matt, but what I was looking for was the boolean equivalent of:
>
>(a) and ((not b) or (not c))

>Meaning, I want a, but not b or c. This rule will then be negated in the 
>rules I'm mod'ing.

*cough* compare those two statements...
         (a) and ((not b) or (not c))
         (note: the above is the same as "a" if b and c don't overlap)

is not the same as:
         A and not (b or c).


However, I don't think that construct is possible in snort syntax... you'd 
have to use pass rules to get it.

The top-level operation in a IP list in snort is an OR operator, not an AND 
operator, so you cannot "subtract off" IPs already added to the list.






More information about the Snort-users mailing list