[Snort-users] HOME_NET Clarification

Matt Kettler mkettler at ...4108...
Fri Oct 29 13:33:04 EDT 2004

At 12:24 PM 10/22/2004, Ilango S Allikuzhi wrote:
>Is it possible to define HOME_NET as [!, !, 
>,]  for instance?
>In other words, we want all subnets under 10 except a few.

As a more specific response than the one generated by Joel:

No. You can't create an IP range with holes in it like that using snort.

Snort basically treats the commas as a logical OR operation. If an IP 
matches any one of the entries in the list it is a match, regardless of 
what any other entries might be.

You'd want some kind of logical AND operation ie: AND 
! But that would involve some fancier syntax than snort supports.

Side note: Your example is identical in function to "any", as it will match 
any IP address in the entire range of IPs. [!, !] 
or any other two non-overlapping negated ranges in the list will create the 
same effect. This is a very common mistake.

