Snort mailing list archives

Re: Brackets around 1st varible in snort.conf

From: John Sage <jsage () finchhaven com>
Date: Sun, 02 Sep 2001 10:50:43 -0700

Kari Suomela wrote:

Sunday September 02 2001 15:54, Randy wrote to All:


 R> "FATAL ERROR: ERROR /etc/snort/exploit.rules (6) => Rule IP addr
 R> ([nnn.nnn.nnn.0) didn't x-late, WTF?"

 R> I'm using this syntax "var HOME_NET
 R> [nnn.nnn.nnn.0/24,nnn.nnn.nnn.0/24]

nnn.nnn.nnn.0 is not a valid IP - or range!
            ^



This, at least, is nonsense.  That's standard CIDR notation.

nnn.nnn.nnn.0 is a network address, which is just what you want tospecify for HOME_NET...


Take 192.168.1.0/24 for example:

Address:   192.168.1.0           11000000.10101000.00000001 .00000000
Netmask:   255.255.255.0 == 24   11111111.11111111.11111111 .00000000
=>

Network: 192.168.1.0/24 11000000.10101000.00000001 .00000000(Class C)

Broadcast: 192.168.1.255         11000000.10101000.00000001 .11111111
HostMin:   192.168.1.1           11000000.10101000.00000001 .00000001
HostMax:   192.168.1.254         11000000.10101000.00000001 .11111110
Hosts/Net: 254                   (Private Internet)

(Thanks to ipcalc -- see: http://jodies.de/ )

Unfortunately, this doesn't answer the original question, because itlooks like Randy has the syntax correctly:



From http://snort.sourcefire.com/docs/writing_rules/ :

"...For example, the address/CIDR combination 192.168.1.0/24 wouldsignify the block of addresses from 192.168.1.1 to 192.168.1.255. Anyrule that used this designation for, say, the destination address wouldmatch on any address in that range. The CIDR designations give us a niceshort-hand way to designate large address spaces with just a few characters.

..."


"2.1.2  Variables

Variables may be defined in Snort. These are simple substitutionvariables set with the var keyword as in Figure 2.2.


Format

  var: <name> <value>

    var MY_NET [192.168.1.0/24,10.1.1.0/24] "

I've played with this for hours to no avail.  Tried other variable names and
substitutions, no joy.

Multi CIDR sub-nets in HOME_NET worked fine in 1.7  Multi CIDR sub-nets work in
all other variables in 1.8.1, except the 1st listed in snort.conf

Only if I use a single non-bracketed value for the 1st variable, will snort run.

Have I missed something?



Krikeys.. not that I can see.


- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Brackets around 1st varible in snort.conf Randy (Sep 01)
- Brackets around 1st varible in snort.conf Kari Suomela (Sep 02)
  - Re: Brackets around 1st varible in snort.conf John Sage (Sep 02)
- Re: Brackets around 1st varible in snort.conf Erek Adams (Sep 02)
- Re: Brackets around 1st varible in snort.conf John Sage (Sep 02)
  - Again, bBrackets around 1st varible in snort.conf Randy (Sep 02)
    - Re: Again, bBrackets around 1st varible in snort.conf Erek Adams (Sep 03)