[Snort-users] Net minus one address?

Rich Adamson radamson at ...2127...
Mon Aug 1 05:17:25 EDT 2005


Is there a way to specify a complete class-c network minus one address?

Example: I want to monitor for all outgoing ftp sessions that happen
from within an internal class-c to the external net, alerting on every 
attempt except for one IP address. (It's acceptable for that one IP 
address to pull anti-virus def's via ftp for this banking network.)

Something like: 
 var FTP_NET [10.1.2.0/24, !10.1.2.5]

Other rules obviously need to watch the entire class-c, therefore it would
seem like a filter for that IP wouldn't be appropriate.

Thoughts?






More information about the Snort-users mailing list