On 9/3/2010 12:52, Joel Esler wrote:
> On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:
>> If I have my home net of snort set to:
>> var HOME_NET []
>> How can I make my external net be !$HOME_NET and subnet?
> With recent versions of Snort,

please define "recent"... 2.8.3?

> you can do positives and negatives in the same
> variable, but the more specific entry needs to come first.
 > var HOME_NET []

[aside] bug alert in the above! 2 bugs exist [/aside]

now that's nice and a lot easier than using a CIDR calculator to work out the 
ranges as i did for my reply...

if you have two or more sub-ranges, they all go first before !HOME_NET?
does their numerical order matter?

var HOME_NET []

