[Snort-users] Will this work - negated hosts?

Crook, Parker Parker_Crook at ...14786...
Tue Oct 26 11:02:21 EDT 2010


> -----Original Message-----
> From: Weir, Jason [mailto:jason.weir at ...14916...]
> Sent: Tuesday, October 26, 2010 10:50 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Will this work - negated hosts?
> 
> var HOME_NET [192.168.1.0/22,192.168.2.0/24]
> 
> var DNS_SERVERS [192.168.1.1,192.168.2.1]
> 
> var HOME_NET_MINUS_DNS [$HOME_NET,!$DNS_SERVERS]
> 
> And then use $HOME_NET_MINUS_DNS in a rule like this.
> 
> alert tcp [10.1.1.1,10.1.1.2,10.1.1.3] any -> $HOME_NET_MINUS_DNS any
> 
> -Jason

Jason, yes this will work... I have been using logical negations from IP ranges for quite some time successfully (page 26 of the 2.9 manual).

-Parker




More information about the Snort-users mailing list