Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)

[Joel Esler <jesler () sourcefire com>]

Can you use thresholding or a bpf to solve this problem?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 3, 2012, at 5:02 AM, elof () sentor se wrote:

> Unfortunetly, your solution fails when you have rules like this:
>
> var HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
> var EXTERNAL_NET any
> alert tcp $HOME_NET any -> !$HOME_NET 69
>
> !$HOME_NET will expand to a negated list with negated items in it. Double negation is not allowed --> bailout.
>
>
> Example:
> I have rules that must *only* match outgoing traffic from the HOME_NET to the internet, not internal traffic from ha 
> HOME_NET client to a HOME_NET server.
> Like if I only want an alert when snort see a TFTP filetransfer towards the internet, not internal TFTP transfers:
>
> original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
> modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69
>
> or rules like this:
> alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53
>
> ...will fail with:
>
> ERROR: snort.conf(1234) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider 
> inverting the logic: !$DNS_SERVERS. Fatal Error, Quitting..
>
>
>
> I made a request to the snort developers, like four years ago, to fix this and allow negated items in a negated list. 
> I didn't get any response if I recall correctly.
>
> I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS, etc.
>
> /Elof
>
>
>
> On Mon, 1 Oct 2012, Jack Pepper wrote:
>
> > I did not know this was available.  that's a way better (and more
> > inuitive) solution.
> >     ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
> >
> > jp
> >
> > On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler () sourcefire com> wrote:
> >
> > > On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack () afferentsecurity com>
> > > wrote:
> > >
> > > the subject of how to exclude one IP address from HOME_NET still comes up
> > > occasionally.  Usually it's a proxy server.  I wrote a little program a
> > > long time ago (2008?) to create a HOME_NET statement with the proxy address
> > > excluded.  Herewith I offer it to the public (should a done that a long
> > > time ago).
> > >     http://www.autoshun.org/exclusion.asp
> > >
> > >
> > > Please see this section of the Snort Manual:
> > >
> > > http://manual.snort.org/node16.html#SECTION00312000000000000000
> > >
> > > As it references how to exclude certain IPs within a variable.
> > >
> > > Also Cc'ing the Snort-users list, as this is a Snort issue (not an
> > > emerging-sigs issue) and someone may find it useful.
> > >
> > > --
> > > Joel Esler
> > > Senior Research Engineer, VRT
> > > OpenSource Community Manager
> > > Sourcefire


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!