[Snort-users] HOME_NET Clarification

Matt Kettler mkettler at ...4108...
Fri Oct 29 13:33:04 EDT 2004


At 12:24 PM 10/22/2004, Ilango S Allikuzhi wrote:
>Is it possible to define HOME_NET as [!10.40.1.0/24, !10.40.2.0/24, 
>10.0.0.0/8, 192.168.1.0/24]  for instance?
>In other words, we want all subnets under 10 except a few.

As a more specific response than the one generated by Joel:

No. You can't create an IP range with holes in it like that using snort.

Snort basically treats the commas as a logical OR operation. If an IP 
matches any one of the entries in the list it is a match, regardless of 
what any other entries might be.

You'd want some kind of logical AND operation ie: 10.0.0.0/8 AND 
!10.40.1.0/24. But that would involve some fancier syntax than snort supports.

Side note: Your example is identical in function to "any", as it will match 
any IP address in the entire range of IPs. [!10.40.1.0/24, !10.40.2.0/24] 
or any other two non-overlapping negated ranges in the list will create the 
same effect. This is a very common mistake.







More information about the Snort-users mailing list