All,
I'm trying to tune some of the noiser sweep signatures on a IPS
6.0/6.1 set of sensors so that they only hit on a pre-defined set of "dark" ip addresses. I've created a signature variable to store my IP list and tuned each signature with this variable as the "dst addr filter" only to discover that this filter hits on everything but the IPs in the filter list. Using a "!" in front of the variable name gives a parse error. Is there any way to accomplish what I am trying to do short of setting the dark variable to all IP addresses besides the ones I am trying to monitor?GM