Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] HOME_NET Clarification

from [Matt Kettler] Network Security [Permanent Link]
Subject: Re: [Snort-users] HOME_NET Clarification
Date: Fri, 29 Oct 2004 16:32:10 -0400
At 12:24 PM 10/22/2004, Ilango S Allikuzhi wrote:
Is it possible to define HOME_NET as [!10.40.1.0/24, !10.40.2.0/24, 10.0.0.0/8, 192.168.1.0/24] for instance?
In other words, we want all subnets under 10 except a few. 

As a more specific response than the one generated by Joel:

No. You can't create an IP range with holes in it like that using snort.

Snort basically treats the commas as a logical OR operation. If an IP matches any one of the entries in the list it is a match, regardless of what any other entries might be.

You'd want some kind of logical AND operation ie: 10.0.0.0/8 AND !10.40.1.0/24. But that would involve some fancier syntax than snort supports.

Side note: Your example is identical in function to "any", as it will match any IP address in the entire range of IPs. [!10.40.1.0/24, !10.40.2.0/24] or any other two non-overlapping negated ranges in the list will create the same effect. This is a very common mistake.





-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-users] Snort 2.x does not logs into MySQL, Esler, Joel - Contractor
Next by Date:  [Snort-users] Rule References in BASE, Nick Hatch
Previous by Thread:  [Snort-users] HOME_NET Clarification, Ilango S Allikuzhi
Next by Thread:  RE: [Snort-users] HOME_NET Clarification, Esler, Joel - Contractor
Indexes:  [Date] [Thread] [Top] [All Lists]