Snort mailing list archives
Re: IP Address's in Rule
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 09 Oct 2002 14:13:56 -0400
The comma'ed list of IP's is a logical OR operation so:[!X.Y.W.Z/32, !A.B.C.D/32] is the same thing as any, and your longer list is also the equivalent of any.
This happens because it it will match anything which is (not X.Y.W.Z) OR (not A.B.C.D). This set effectively matches X.Y.W.Z, because it matches the !A.B.C.D part, and it will also A.B.C.D, because it matches the !X.Y.W.Z, and any other IP will match both.
In your case you'll likely want to do something like this:var OK_TO_DNSXFER [X.Y.W.Z/32, A.B.C.D/32,E.F.G.H/32,<insert other IP's allowed to do xfers here>]
alert tcp !$OK_TO_DNSXFER any -> $HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+; offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:1000255; rev:1;)Note that I have the ! outside the list in this case. Which means it will be NOT (X.Y.W.Z OR A.B.C.D OR E.F.H.G OR <whatever else>). Instead of (NOT X.Y.W.Z) OR (NOT A.B.C.D) OR (NOT E.F.H.G) etc.
Note the subtle difference, saying "I will accept anything which is not an apple or an orange" is very different than saying "I will accept anything which is not an apple, or I will accept anything which is not an orange".
At 12:57 PM 10/9/2002 -0400, Mike McCabe wrote:
How do I include specific IP addresses in a rule. Say I want to have certain IP addresses not looked at and still want the rule to use EXTERNAL_NET... Something like: alert tcp [!X.Y.W.Z/32,!A.B.C.D/32,!E.F.G.H/32,$EXTERNAL_NET] any -> $HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+; offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:2;) But it doesn't seem to work... Any help would be appreciated... Mike
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP Address's in Rule Mike McCabe (Oct 09)
- Re: IP Address's in Rule Erek Adams (Oct 09)
- Re: IP Address's in Rule Matt Kettler (Oct 09)
- Re: IP Address's in Rule Robby Desmond (Oct 10)
- <Possible follow-ups>
- RE: IP Address's in Rule Slighter, Tim (Oct 09)
- Re: IP Address's in Rule Mike McCabe (Oct 09)