[Snort-users] Snort home net and external net question

Andy Berryman aberryman at ...14765...
Fri Sep 3 13:01:58 EDT 2010


I tried that, but am getting an error. I'm running 2.8.6.0

 

Sep  3 16:51:33 (none) snort[18415]: FATAL ERROR:
/snort/conf/general.rules(1) Negated IP ranges that are equal to or are
more general than non-negated ranges are not allowed.  Consider
inverting the logic: $EXTERNAL_NET.

 

var HOME_NET [10.215.0.0/16]

var EXTERNAL_NET [10.215.40.0/24,!$HOME_NET]

 

Is it b/c my home net is a /16 and the external net I'm trying to add is
a /24? 

 

 

Thanks,

Andy 

 

 

From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Friday, September 03, 2010 11:53 AM
To: Andy Berryman
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort home net and external net question

 

On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:





If I have my home net of snort set to:

 

var HOME_NET [10.215.0.0/16]

 

How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?

 

 

With recent versions of Snort, you can do positives and negatives in the
same variable, but the more specific entry needs to come first.

 

var HOME_NET [10.215.0.0/16]

var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET]

 

Should work.

 

Joel

 


###############################################################################
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above.  If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited.  If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.                    
###############################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100903/7fbe9a58/attachment.html>


More information about the Snort-users mailing list