[Snort-users] HOME_NET Clarification
mkettler at ...4108...
Fri Oct 29 13:33:04 EDT 2004
At 12:24 PM 10/22/2004, Ilango S Allikuzhi wrote:
>Is it possible to define HOME_NET as [!10.40.1.0/24, !10.40.2.0/24,
>10.0.0.0/8, 192.168.1.0/24] for instance?
>In other words, we want all subnets under 10 except a few.
As a more specific response than the one generated by Joel:
No. You can't create an IP range with holes in it like that using snort.
Snort basically treats the commas as a logical OR operation. If an IP
matches any one of the entries in the list it is a match, regardless of
what any other entries might be.
You'd want some kind of logical AND operation ie: 10.0.0.0/8 AND
!10.40.1.0/24. But that would involve some fancier syntax than snort supports.
Side note: Your example is identical in function to "any", as it will match
any IP address in the entire range of IPs. [!10.40.1.0/24, !10.40.2.0/24]
or any other two non-overlapping negated ranges in the list will create the
same effect. This is a very common mistake.
More information about the Snort-users