Snort mailing list archives
Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 3 Oct 2012 10:30:11 -0400
Can you use thresholding or a bpf to solve this problem? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 3, 2012, at 5:02 AM, elof () sentor se wrote:
Unfortunetly, your solution fails when you have rules like this: var HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] var EXTERNAL_NET any alert tcp $HOME_NET any -> !$HOME_NET 69 !$HOME_NET will expand to a negated list with negated items in it. Double negation is not allowed --> bailout. Example: I have rules that must *only* match outgoing traffic from the HOME_NET to the internet, not internal traffic from ha HOME_NET client to a HOME_NET server. Like if I only want an alert when snort see a TFTP filetransfer towards the internet, not internal TFTP transfers: original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69 modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69 or rules like this: alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 ...will fail with: ERROR: snort.conf(1234) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: !$DNS_SERVERS. Fatal Error, Quitting.. I made a request to the snort developers, like four years ago, to fix this and allow negated items in a negated list. I didn't get any response if I recall correctly. I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS, etc. /Elof On Mon, 1 Oct 2012, Jack Pepper wrote:I did not know this was available. that's a way better (and more inuitive) solution. ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] jp On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler () sourcefire com> wrote:On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack () afferentsecurity com> wrote: the subject of how to exclude one IP address from HOME_NET still comes up occasionally. Usually it's a proxy server. I wrote a little program a long time ago (2008?) to create a HOME_NET statement with the proxy address excluded. Herewith I offer it to the public (should a done that a long time ago). http://www.autoshun.org/exclusion.asp Please see this section of the Snort Manual: http://manual.snort.org/node16.html#SECTION00312000000000000000 As it references how to exclude certain IPs within a variable. Also Cc'ing the Snort-users list, as this is a Snort issue (not an emerging-sigs issue) and someone may find it useful. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] How to exclude one IP address from HOME_NET Joel Esler (Oct 01)
- Re: [Emerging-Sigs] How to exclude one IP address from HOME_NET Jack Pepper (Oct 01)
- Re: [Emerging-Sigs] How to exclude one IP address from HOME_NET Joel Esler (Oct 01)
- Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) elof (Oct 03)
- Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) Joel Esler (Oct 03)
- Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) elof (Oct 03)
- Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) Jack Pepper (Oct 03)
- Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) elof (Oct 03)
- Re: [Emerging-Sigs] How to exclude one IP address from HOME_NET Jack Pepper (Oct 01)