[Snort-users] Net minus one address?
radamson at ...2127...
Mon Aug 1 05:17:25 EDT 2005
Is there a way to specify a complete class-c network minus one address?
Example: I want to monitor for all outgoing ftp sessions that happen
from within an internal class-c to the external net, alerting on every
attempt except for one IP address. (It's acceptable for that one IP
address to pull anti-virus def's via ftp for this banking network.)
var FTP_NET [10.1.2.0/24, !10.1.2.5]
Other rules obviously need to watch the entire class-c, therefore it would
seem like a filter for that IP wouldn't be appropriate.
More information about the Snort-users