Just because I know you haven't, I'm going to ask: have you tried a Snort users group? A Snort usenet group? *Anyone*??? Didn't think so...
Or just RTFM right on the snort site. http://www.snort.org/docs/snort_htmanuals/htmanual_233/node18.html (there is a specific example addressing this EXACT issue) Sec: 3.2.3 IP Addresses Figure: Example IP Address Negation Rule" ~Mike. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
