[Snort-users] [Emerging-Sigs] How to exclude one IP address from HOME_NET

Joel Esler jesler at ...1935...
Mon Oct 1 17:39:37 EDT 2012


Glad it helps!


On Oct 1, 2012, at 5:33 PM, Jack Pepper <pepperjack at ...14319...> wrote:

> I did not know this was available.  that's a way better (and more inuitive) solution.  
>       ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] 
> jp
> 
> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...1935...> wrote:
> On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...14319...> wrote:
> 
>> the subject of how to exclude one IP address from HOME_NET still comes up occasionally.  Usually it's a proxy server.  I wrote a little program a long time ago (2008?) to create a HOME_NET statement with the proxy address excluded.  Herewith I offer it to the public (should a done that a long time ago).
>>      http://www.autoshun.org/exclusion.asp
> 
> Please see this section of the Snort Manual:
> 
> http://manual.snort.org/node16.html#SECTION00312000000000000000
> 
> As it references how to exclude certain IPs within a variable.
> 
> Also Cc'ing the Snort-users list, as this is a Snort issue (not an emerging-sigs issue) and someone may find it useful.
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121001/507068c6/attachment.html>


More information about the Snort-users mailing list