lenbsasquatch.com

• Next message: Frank Knobbe: "[Snort-users] Win32 port and Syslog"
• Previous message: DmuZ: "[Snort-users] named scan -> iquery -> version probe from korea"
• In reply to: roesch: "[Snort-users] Status update"
• Reply: Len Burns: "Re: [Snort-users] Status update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 18 Nov 2000, roesch wrote:

> Hi everyone,
> Sorry for my lack of participation this week, I've been out on the west coast for some meetings.
> I'm in the process of putting up a new set of code into CVS that's got a major new piece: IP lists. That's right, you can finally issue a list of IP addresses in a Snort rule. About damn time, huh? :)
> Anyway, to use it you have to enclose the address list in square brackets and separate the addresses with commas. Note that you can't put spaces between the addresses right now, it confuses the parser. Here's an example of the format:
>
> [10.1.1.0/24,192.168.1.0/24]
>
> If you used it in a var, it'd look like this:
>
> var FOO [10.1.1.0/24,192.168.1.0/24]
This is great! I am fiddling with it over here and
perhaps it is not yet fully in place, but trying it from a cvs of
perhaps an hour ago, I have the following:
var HOME_NET [192.168.236.160/27,192.168.237.0/24,192.168.236.192/27]
Nov 18 14:02:37 seashell snort: ERROR snort.conf (42) => Rule netmask
(27,192.168.237.0/24,192.168.236.192/27]) didn't x-late, WTF?

-Len

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

• Next message: Frank Knobbe: "[Snort-users] Win32 port and Syslog"
• Previous message: DmuZ: "[Snort-users] named scan -> iquery -> version probe from korea"
• In reply to: roesch: "[Snort-users] Status update"
• Reply: Len Burns: "Re: [Snort-users] Status update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]