[Snort-users] Snort home net and external net question

waldo kitty wkitty42 at ...14940...
Fri Sep 3 13:54:35 EDT 2010


On 9/3/2010 12:52, Joel Esler wrote:
> On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:
>
>> If I have my home net of snort set to:
>> var HOME_NET [10.215.0.0/16]
>> How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?
>
> With recent versions of Snort,

please define "recent"... 2.8.3?

> you can do positives and negatives in the same
> variable, but the more specific entry needs to come first.
>
 > var HOME_NET [10.215.0.0/16]
 > var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET]

[aside] bug alert in the above! 2 bugs exist [/aside]

now that's nice and a lot easier than using a CIDR calculator to work out the 
ranges as i did for my reply...

if you have two or more sub-ranges, they all go first before !HOME_NET?
does their numerical order matter?

ie:
var HOME_NET [10.215.0.0/16]
var EXTERNAL_NET [10.215.33.0/24,10.215.40.0/24,10.215.77.0/24,!$HOME_NET]





More information about the Snort-users mailing list