Re: EXTERNAL_NET var acting strange

[Scott Nursten <scott.nursten () streetsonline co uk>]

OK, finally got a snort installation that I can play on (the other one was live) :) 

I wrote: 
 
> var EXCLUDE [1.1.1.0/24,172.16.16.0/24,172.16.0.0/24]
>
> var EXTERNAL_NET [!$EXCLUDE,1.1.1.4/32]
>
> or what???


This doesn't seem to work either. 

> From the documentation: 

"You may also specify lists of IP addresses. An IP list is specified
by enclosing a comma separated list of IP addresses and CIDR blocks
within square brackets. For the time being, the IP list may not include
spaces between the addresses. See Figure 2.5 for
an example of an IP list in action."

Now, what does this mean EXACTLY? With the complex negation rules, how can I include an IP address that's already been 
excluded or vice versa? Is there a way?? From what Florent is saying, the IP list variables can either be a strict 
exclude OR include - it can't incorporate both...! Feature request maybe? Probably PEBCAK ... either way, does anyone 
know the answer? 

Rgds,

Scott Nursten

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users