[Snort-users] Exclude one IP

Paul Melson pmelson at ...11827...
Wed Nov 2 08:10:10 EST 2005


-----Original Message-----
Subject: Re: [Snort-users] Exclude one IP

> For example you can do IP lists with comas, but you cannot do so for
ports.
>
> ie: a port specifier of 80,8080 is illegal, but [192.168.1.1,192.168.1.2]
is not.
>
> There's clear precedent that IP lists and port lists do not behave the
same way.
> Based on that, it would be exceptionally unwise for a user to assume that
the ports behavior > auto-magically must apply to IPs.

I agree with Matt, this is not at all clear and it is contrary to how
variables have worked in snort.conf in the past.  Can we get clarification
from someone on the Snort team as to how to build lists and use operators in
port and address variables in snort.conf?  I'll volunteer to write the FAQ
section on this if someone will just explain it to me.

For instance, is this comment from snort.conf now obsolete? :

# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80

I have a small arsenal of docs on how to fudge various parts of snort.conf
to do things that don't work out of the box from as far back as 1.2 (like
host exclusions from HOME_NET using funneled subnet masks for specific
inclusion).  It would be nice to retire those.

Thanks,
PaulM






More information about the Snort-users mailing list