Snort mailing list archives
Re: EXTERNAL_NET var acting strange
From: Scott Nursten <scott.nursten () streetsonline co uk>
Date: Tue, 21 Aug 2001 15:22:39 +0100
Unfortunately, that doesn't take care of the 172.16.[0|16].0/24 addresses. Thanks for the help tho'. My last post had: ![exclude],[include] - but that definitely doesn't work. So, if I want to include one (or a subnet of) address[es] in my EXTERNAL_NET, do I have to go: var EXCLUDE [1.1.1.0/24,172.16.16.0/24,172.16.0.0/24] var EXTERNAL_NET [!$EXCLUDE,1.1.1.4/32] or what??? Scott John Sage wrote:
Scott: Have you tried: var EXTERNAL_NET !$HOME_NET (Not wanting to get involved in the ongoing logic-syntax debate... ;-) - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." Scott Nursten wrote:Hi guys, In my conf, I have the following (obfuscated live IP's): -----snip------ var HOME_NET 1.1.1.0/24 # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET [!1.1.1.0/24,!172.16.0.0/24,!172.16.16.0/24] -----snip------ However, ICMP packets from 1.1.1.66 -> 1.1.1.55 get logged through the following rule: icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) If I change EXTERNAL_NET to !1.1.1.0/24 (without the ['s and ,'s), it worx fine (ie. those packets don't get logged). Please point out the error. Rgds,
-- Scott Nursten - Systems Administrator ---------------------------------------------- ddi: +44 (0) 1293 744 122 work: +44 (0) 1293 402 040 fax: +44 (0) 1293 402 050 email: scottn () streetsonline co uk wwweb: http://www.streetsonline.co.uk ---------------------------------------------- Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke Any technology distinguishable from magic is insufficiently advanced. (Probably not) Arthur C. Clarke _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- EXTERNAL_NET var acting strange Scott Nursten (Aug 21)
- Re: EXTERNAL_NET var acting strange Florent (Aug 21)
- Re: EXTERNAL_NET var acting strange Scott Nursten (Aug 21)
- Re: EXTERNAL_NET var acting strange Florent (Aug 21)
- Message not available
- Re: EXTERNAL_NET var acting strange Florent (Aug 21)
- Re: EXTERNAL_NET var acting strange Scott Nursten (Aug 21)
- Re: EXTERNAL_NET var acting strange Scott Nursten (Aug 21)
- Re: EXTERNAL_NET var acting strange Florent (Aug 21)
- Re: EXTERNAL_NET var acting strange John Sage (Aug 21)
- Re: EXTERNAL_NET var acting strange Scott Nursten (Aug 21)
- Re: EXTERNAL_NET var acting strange Scott Nursten (Aug 21)
- Re: EXTERNAL_NET var acting strange Florent (Aug 21)
- Re: EXTERNAL_NET var acting strange Scott Nursten (Aug 21)