[Snort-users] Net minus one address?

Jason Brvenik jasonb at ...1935...
Mon Aug 1 06:58:30 EDT 2005


Rich Adamson wrote:
> Is there a way to specify a complete class-c network minus one address?
> 
> Example: I want to monitor for all outgoing ftp sessions that happen
> from within an internal class-c to the external net, alerting on every 
> attempt except for one IP address. (It's acceptable for that one IP 
> address to pull anti-virus def's via ftp for this banking network.)
> 
> Something like: 
>  var FTP_NET [10.1.2.0/24, !10.1.2.5]
> 

You can use suppression or a pass rule to handle this case.

suppress - 
http://www.snort.org/docs/snort_htmanuals/htmanual_233/node13.html

pass -
http://www.snort.org/docs/snort_htmanuals/htmanual_233/node18.html


HTH.

> Other rules obviously need to watch the entire class-c, therefore it would
> seem like a filter for that IP wouldn't be appropriate.
> 
> Thoughts?
> 




More information about the Snort-users mailing list