2014-01-09 09:33 AM
Hey I'm sure this is a easy question. Can anyone tell me why the && Not section of this rule is not working.
ip.dst=131.253.18.0/24 || ip.dst=199.2.137.0/24 || ip.dst=207.46.90.0/24 || ip.dst=1.1.1.0/24 && (ip.src!=10.10.10.101 || ip.src!=10.10.10.102 || ip.src!=10.10.10.103)
And why the heck can't I paste into these dicussions!
Phil
2014-01-09 11:49 AM
Sorry about not being able to paste. Looking at your rule, I rarely use the ORing function. Your rule would work just as well as lists-
ip.dst=131.x.x.x/24,199.x.x.x/24,207.x.x.x/24, && ip.src !=10.10.10.101-10.10.10.103
This is the same logic, and removes the ORing boolean function. Let me know if that works better.
2014-01-09 11:49 AM
Sorry about not being able to paste. Looking at your rule, I rarely use the ORing function. Your rule would work just as well as lists-
ip.dst=131.x.x.x/24,199.x.x.x/24,207.x.x.x/24, && ip.src !=10.10.10.101-10.10.10.103
This is the same logic, and removes the ORing boolean function. Let me know if that works better.
2014-01-10 08:05 PM
Fielder's answer works, but I'll speak to the original problem just for informational purposes - it looks like a logic error.
(ip.src!=10.10.10.101 || ip.src!=10.10.10.102 || ip.src!=10.10.10.103)
This will actually MATCH (return "true") with a source IP of 10.10.10.101.
Since all the terms are OR'd, if any one of them is TRUE then the entire expression evaluates to TRUE.
When your source IP is 10.10.10.101, the first comparison evaluates to FALSE (ip.src!=10.10.10.101) as expected, BUT "ip.src!=10.10.10.102" evaluates to TRUE ... since one of the terms is true, and the terms are OR'd, the whole grouping will evaluate to TRUE.
I suspect the logic you're really looking for is:
(ip.src!=10.10.10.101 && ip.src!=10.10.10.102 && ip.src!=10.10.10.103)
Now all three conditions must be true - the source IP cannot be any of the three IPs - before it will match.