Snort mailing list archives
RE: Snort Variables
From: <bmcdowell () coxhealthplans com>
Date: Fri, 6 Feb 2004 14:23:31 -0600
Check out http://subnetcreator.sourceforge.net/ if you're looking for a tool to help you come up with a list of subnets you can add together to get what you're after. Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt Kettler Sent: Friday, February 06, 2004 12:38 PM To: SN ORT; Snort Users Subject: Re: [Snort-users] Snort Variables At 11:32 AM 2/6/2004, SN ORT wrote:
OK, so in the process of optimizing my config, I want to be able to check and see that the variables are reading and storing the correct info I put in the config. Example: var $HTTP_SERVERS [$HOME_NET,!$FIREWALLS] So how do I look at this variable to see it's contents?
Expand it by hand... They're just done as literal text substitution. I suspect you have a common and obvious logic bug. From looking at the above, you want to match HOME_NET and exclude FIREWALLS.. However, that's not what you've declared. The comma separated listings in IP address lists for snort is an OR operator. So the list matches (HOME_NET) OR (not FIREWALLS) . If FIREWALLS is a subset of HOME_NET, the result is the same as "any" With snort syntax you cannot define HTTP_SERVERS = "everything in HOME_NET, with the exlusion of my FIREWALLS". You have to define it by adding things together.. no subtractions. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Variables SN ORT (Feb 06)
- Re: Snort Variables Matt Kettler (Feb 06)
- <Possible follow-ups>
- RE: Snort Variables bmcdowell (Feb 06)