[Snort-users] Will this work - negated hosts?

Weir, Jason jason.weir at ...14916...
Tue Oct 26 10:49:57 EDT 2010


var HOME_NET [192.168.1.0/22,192.168.2.0/24]

var DNS_SERVERS [192.168.1.1,192.168.2.1]

var HOME_NET_MINUS_DNS [$HOME_NET,!$DNS_SERVERS]

And then use $HOME_NET_MINUS_DNS in a rule like this.

alert tcp [10.1.1.1,10.1.1.2,10.1.1.3] any -> $HOME_NET_MINUS_DNS any

-Jason



_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Snort-users mailing list