[Snort-users] Question about negated and non-negated variables in rules
corinth at ...4741...
Sat Nov 29 03:25:03 EST 2003
Matt Kettler wrote:
> At 02:49 PM 11/28/2003, Jens-Harald Johansen wrote:
>> Thanks Matt, but what I was looking for was the boolean equivalent of:
>> (a) and ((not b) or (not c))
>> Meaning, I want a, but not b or c. This rule will then be negated in
>> the rules I'm mod'ing.
> *cough* compare those two statements...
> (a) and ((not b) or (not c))
> (note: the above is the same as "a" if b and c don't overlap)
> is not the same as:
> A and not (b or c).
> However, I don't think that construct is possible in snort syntax...
> you'd have to use pass rules to get it.
> The top-level operation in a IP list in snort is an OR operator, not
> an AND operator, so you cannot "subtract off" IPs already added to the
Sorry, my bad. Been awhile since I had any boolean mathematic in school
and ... err ... guess I stumbled a bit there *cough*.
You're absolutly correct. I need to whitelist a couple of IP addresses
which are allowed to run certain forms of ICMP traffic on our net.
But if I understand you correctly, I need to create pass rules for the
hosts which are allowed to run the ICMP traffic ? Think I'll need to
RTFM concerning pass rules. Haven't used them before.
More information about the Snort-users