[Snort-users] Will this work - negated hosts?

Weir, Jason jason.weir at ...14916...
Tue Oct 26 12:24:45 EDT 2010


> -----Original Message-----
> From: Crook, Parker [mailto:Parker_Crook at ...14786...] 
> Sent: Tuesday, October 26, 2010 11:02 AM
> To: Weir, Jason; snort-users at lists.sourceforge.net
> Subject: RE: Will this work - negated hosts?
> 
> 
> > -----Original Message-----
> > From: Weir, Jason [mailto:jason.weir at ...14916...]
> > Sent: Tuesday, October 26, 2010 10:50 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Will this work - negated hosts?
> > 
> > var HOME_NET [192.168.1.0/22,192.168.2.0/24]
> > 
> > var DNS_SERVERS [192.168.1.1,192.168.2.1]
> > 
> > var HOME_NET_MINUS_DNS [$HOME_NET,!$DNS_SERVERS]
> > 
> > And then use $HOME_NET_MINUS_DNS in a rule like this.
> > 
> > alert tcp [10.1.1.1,10.1.1.2,10.1.1.3] any -> $HOME_NET_MINUS_DNS
any
> > 
> > -Jason
> 
> Jason, yes this will work... I have been using logical 
> negations from IP ranges for quite some time successfully 
> (page 26 of the 2.9 manual).
> 
> -Parker

Looks like this is not working with 2.8.6.1 can anyone verify?

Any ideas?

-J


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Snort-users mailing list