[Snort-users] Snort Variables
mkettler at ...4108...
Fri Feb 6 10:36:01 EST 2004
At 11:32 AM 2/6/2004, SN ORT wrote:
>OK, so in the process of optimizing my config, I want
>to be able to check and see that the variables are
>reading and storing the correct info I put in the
>var $HTTP_SERVERS [$HOME_NET,!$FIREWALLS]
>So how do I look at this variable to see it's
Expand it by hand... They're just done as literal text substitution.
I suspect you have a common and obvious logic bug. From looking at the
above, you want to match HOME_NET and exclude FIREWALLS..
However, that's not what you've declared.
The comma separated listings in IP address lists for snort is an OR
operator. So the list matches (HOME_NET) OR (not FIREWALLS) . If FIREWALLS
is a subset of HOME_NET, the result is the same as "any"
With snort syntax you cannot define HTTP_SERVERS = "everything in HOME_NET,
with the exlusion of my FIREWALLS". You have to define it by adding things
together.. no subtractions.
More information about the Snort-users