[Snort-users] Snort Variables

bmcdowell at ...7861... bmcdowell at ...7861...
Fri Feb 6 12:24:18 EST 2004


Check out http://subnetcreator.sourceforge.net/ if you're looking for a
tool to help you come up with a list of subnets you can add together to
get what you're after.

Bob

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Matt
Kettler
Sent: Friday, February 06, 2004 12:38 PM
To: SN ORT; Snort Users
Subject: Re: [Snort-users] Snort Variables


At 11:32 AM 2/6/2004, SN ORT wrote:
>OK, so in the process of optimizing my config, I want
>to be able to check and see that the variables are
>reading and storing the correct info I put in the
>config. Example:
>
>var $HTTP_SERVERS [$HOME_NET,!$FIREWALLS]
>
>So how do I look at this variable to see it's
>contents?

Expand it by hand... They're just done as literal text substitution.

I suspect you have a common and obvious logic bug. From looking at the 
above, you want to match HOME_NET and exclude FIREWALLS..

However, that's not what you've declared.

The comma separated listings in IP address lists for snort is an OR 
operator. So the list matches (HOME_NET) OR (not FIREWALLS) . If
FIREWALLS 
is a subset of HOME_NET, the result is the same as "any"


With snort syntax you cannot define HTTP_SERVERS = "everything in
HOME_NET, 
with the exlusion of my FIREWALLS". You have to define it by adding
things 
together.. no subtractions.







-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list