[Snort-users] Snort home net and external net question
wkitty42 at ...14940...
Fri Sep 3 13:54:35 EDT 2010
On 9/3/2010 12:52, Joel Esler wrote:
> On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:
>> If I have my home net of snort set to:
>> var HOME_NET [10.215.0.0/16]
>> How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?
> With recent versions of Snort,
please define "recent"... 2.8.3?
> you can do positives and negatives in the same
> variable, but the more specific entry needs to come first.
> var HOME_NET [10.215.0.0/16]
> var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET]
[aside] bug alert in the above! 2 bugs exist [/aside]
now that's nice and a lot easier than using a CIDR calculator to work out the
ranges as i did for my reply...
if you have two or more sub-ranges, they all go first before !HOME_NET?
does their numerical order matter?
var HOME_NET [10.215.0.0/16]
var EXTERNAL_NET [10.215.33.0/24,10.215.40.0/24,10.215.77.0/24,!$HOME_NET]
More information about the Snort-users