Snort mailing list archives
Re: Snort home net and external net question
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 3 Sep 2010 14:25:16 -0400
That error is because the /16 contains the /24 (bigger = more general) You can do ... [10.1.0.0/16, ![10.1.1.0/24]] But you can not do ... [10.1.1.0/24,![10.1.0.0/16]] Also, order does not matter. pp. 20-21 Snort Manual IP Variables and IP Lists IPs may be specified individually, in a list, as a CIDR block, or any combination of the three. If IPv6 support is enabled, IP variables should be specified using ’ipvar’ instead of ’var’. Using ’var’ for an IP variable is still allowed for backward compatibility, but it will be deprecated in a future release. IPs, IP lists, and CIDR blocks may be negated with ’!’. Negation is handled differently compared with Snort versions 2.7.x and earlier. Previously, each element in a list was logically OR’ed together. IP lists now OR non-negated elements and AND the result with the OR’ed negated elements. The following example list will match the IP 1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255, with the exception of IPs 2.2.2.2 and 2.2.2.3. [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] The order of the elements in the list does not matter. The element ’any’ can be used to match all IPs, although ’!any’ is not allowed. Also, negated IP ranges that are more general than non-negated IP ranges are not allowed. See below for some valid examples if IP variables and IP lists. ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] Wally P.S. It being Friday and all... I think that is worth 1 drink... http://blog.joelesler.net/2008/02/snort-drinking-game-by-erek-adams.html On Fri, Sep 3, 2010 at 1:54 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 9/3/2010 12:52, Joel Esler wrote:On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:If I have my home net of snort set to: var HOME_NET [10.215.0.0/16] How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?With recent versions of Snort,please define "recent"... 2.8.3?you can do positives and negatives in the same variable, but the more specific entry needs to come first.> var HOME_NET [10.215.0.0/16] > var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET] [aside] bug alert in the above! 2 bugs exist [/aside] now that's nice and a lot easier than using a CIDR calculator to work out the ranges as i did for my reply... if you have two or more sub-ranges, they all go first before !HOME_NET? does their numerical order matter? ie: var HOME_NET [10.215.0.0/16] var EXTERNAL_NET [10.215.33.0/24,10.215.40.0/24,10.215.77.0/24,!$HOME_NET] ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort home net and external net question, (continued)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 03)
- Re: Snort home net and external net question Andy Berryman (Sep 03)
- Re: Snort home net and external net question Jefferson, Shawn (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)
- Re: Snort home net and external net question Joel Esler (Sep 04)
- Re: Snort home net and external net question waldo kitty (Sep 04)
- Re: Snort home net and external net question Jason Wallace (Sep 03)
- Re: Snort home net and external net question waldo kitty (Sep 03)