In the Filter Library I have created the following filters:
Net_0-7 SourceIP[0.0.0.0/5] DestinationIP[0.0.0.0/5] Net_8-9 SourceIP[22.214.171.124/7] DestinationIP[126.96.36.199/7] Net_10 SourceIP[10.0.0.0/8] DestinationIP[10.0.0.0/8] Net_11 SourceIP[188.8.131.52/8] DestinationIP[184.108.40.206/8] Net_12-15 SourceIP[220.127.116.11/6] DestinationIP[18.104.22.168/6] Net_16-31 SourceIP[22.214.171.124/4] DestinationIP[126.96.36.199/4] Net_32-63 SourceIP[188.8.131.52/3] DestinationIP[184.108.40.206/3] Net_64-127 SourceIP[220.127.116.11/2] DestinationIP[18.104.22.168/2] Net_128-255 SourceIP[22.214.171.124/1] DestinationIP[126.96.36.199/1]
For the Packet Sniffer Sensor I have the following:
Include Ruleset Net_0-7 Net_8-9 Net_11 Net_12-15 Net_16-31 Net_32-63 Net_64-127 Net_128-255 Exclude Rulset Net_10
Is this the right syntax in the include ruleset to included all traffic from networks 0-9 and 11-255? Is it just spaces between each rule? Should I explicitly add "or" between each rule?
Is there a better way to do this?
The intent is to capture and report all traffic that is not on my private 10 network.