Simon Yip wrote:
Thanks PaulM.
That could be a solution while I hope to have something like
![IP=155.200.2.10,!$HOME_NET]
I have tried my above expression in a rule but it just give me a fatal
error.
where HOME_NET= [155.200.2.0/24,155.200.3.0/24]
My purpose is to filter out a particular type of false positives alerts
created by a host (its cron job generated the alert) but I do not want
to ignore all this type of alert.
Usually you wind up having to create a pass rule to ignore traffic to the single
host.
AFAIK there is no way to create a "range with an arbitrary hole in it" as a
single specifier in snort, but your idea is a good one.
You could try to rephrase the above declaration as this:
![155.200.2.10/32,!$HOME_NET]
Note the removal of the "IP=" syntax and instead I'm using /32 to limit it to
one IP. Snort's parser might be happier with that.
For those who wonder how this could work, In theory this parses as:
NOT ( 155.200.2.10/32 OR NOT HOME_NET)
Which if you do a DeMorgan's theorem conversion on it you get:
(NOT 155.200.2.10/32) AND (HOME_NET)
However, You might wind up having snort's parser barf with that, it might not
want to do anything that complex, I've never tried...
Try it and see.
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
