[Snort-users] Snort home net and external net question

waldo kitty wkitty42 at ...14940...
Fri Sep 3 13:58:56 EDT 2010


On 9/3/2010 13:01, Andy Berryman wrote:
> I tried that, but am getting an error. I’m running 2.8.6.0
>
> Sep 3 16:51:33 (none) snort[18415]: FATAL ERROR: /snort/conf/general.rules(1)
> Negated IP ranges that are equal to or are more general than non-negated ranges
> are not allowed. Consider inverting the logic: $EXTERNAL_NET.

reading the above, i would say that it is because your HOME_NET is more general 
(wider range) than the non-negated range (the /24)... it may also be that 
because the non-negated one is within the negated one that it is whining...

> var HOME_NET [10.215.0.0/16]
>
> var EXTERNAL_NET [10.215.40.0/24,!$HOME_NET]
>
> Is it b/c my home net is a /16 and the external net I’m trying to add is a /24?

not that i can see and definitely not by the text used in the error message...

>
> Thanks,
>
> Andy
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Friday, September 03, 2010 11:53 AM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Snort home net and external net question
>
> On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:
>
>
>
> If I have my home net of snort set to:
>
> var HOME_NET [10.215.0.0/16]
>
> How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?
>
> With recent versions of Snort, you can do positives and negatives in the same
> variable, but the more specific entry needs to come first.
>
> var HOME_NET [10.215.0.0/16]
>
> var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET]
>
> Should work.





More information about the Snort-users mailing list