[Snort-users] Multiple IP addresses or use of variables in threshold.conf using SUPPRESS

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Feb 15 00:59:13 EST 2005

--On 14 February 2005 10:12 -0600 Eric Hines <eric.hines at ...8860...> 

> I am having trouble specifying more than one IP in a suppress line in the
> threshold.conf. We've got to suppress 16 IP addresses and can't use a
> CIDR. Does anyone know if its possible to
> A) Specify a variable which contains a [ ] of multiple Ips

Yup; see $AIM_SERVERS in the standard config for an example.

> B) Specify more than one IP separated by comma's in a single suppress
> line?

It would seem not, from the manual (p.39ish)

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list