[Snort-users] Snort Variables

Matt Kettler mkettler at ...4108...
Fri Feb 6 10:36:01 EST 2004


At 11:32 AM 2/6/2004, SN ORT wrote:
>OK, so in the process of optimizing my config, I want
>to be able to check and see that the variables are
>reading and storing the correct info I put in the
>config. Example:
>
>var $HTTP_SERVERS [$HOME_NET,!$FIREWALLS]
>
>So how do I look at this variable to see it's
>contents?

Expand it by hand... They're just done as literal text substitution.

I suspect you have a common and obvious logic bug. From looking at the 
above, you want to match HOME_NET and exclude FIREWALLS..

However, that's not what you've declared.

The comma separated listings in IP address lists for snort is an OR 
operator. So the list matches (HOME_NET) OR (not FIREWALLS) . If FIREWALLS 
is a subset of HOME_NET, the result is the same as "any"


With snort syntax you cannot define HTTP_SERVERS = "everything in HOME_NET, 
with the exlusion of my FIREWALLS". You have to define it by adding things 
together.. no subtractions.









More information about the Snort-users mailing list