Re: Network Variables

["Seth Dunn" <seth () d2ms com>]

Yes, as James said, thanks for breaking it down.
Very instructive.

I have configured my bpf file as you suggested::
not (net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port 80)

Snort starts and is running, so I will watch it and see how things go.

Since this is in a file, I don't have to do quotes there, only if I run it from the command line.
The problem with the bpf file was what Shane suggested earlier, how the text editor was handling the end of line 
character.  Snort, (I am guessing the bpf engine it uses) does not like the Windows style characters...it is only 
configured for *nix style editors.  May be something they want to address in future releases....because it is an odd 
problem and one I didn't immediately think of (obviously)....especially since the snort.conf file is read fine.

Thanks again to all for the help and information on this....it has been very enlightening.

-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net] 
Sent: Thursday, May 02, 2013 3:00 PM
To: snort-users () lists sourceforge net; Seth Dunn
Subject: Re: [Snort-users] Network Variables

On 5/2/2013 13:23, Seth Dunn wrote:
> So now my question comes, since you were wondering about the rule I 
> was using.
> This is my rule::
> not net 10.10.0.0/24 and dst host 10.75.45.1&&  dst port 80 or not net
> 10.30.0.0/24 and dst host 10.75.45.1&&  dst port 80

ok, i'm going to try to break this down and interpret your wants one section at a time...

> By my understanding, and my desire to see happen is this.
> Traffic from the network 10.10.0.0/24 going to http at 10.75.45.1 
> should be ignored.

(net 10.10.0.0/24 and (host 10.75.45.1 and port 80))

> Also, traffic from the network 10.30.0.0/24 going to http at 
> 10.75.45.1 should be ignored.

(net 10.30.0.0/24 and (host 10.75.45.1 and port 80))

> All other traffic is still monitored.

the above should qualify your two wants... now, let's streamline them a bit to make it more legible...

first, let's combine the two source networks into one statement...

net (10.10.0.0/24 or 10.30.0.0/24)

now the destination host and destination port...

host 10.75.45.1 and port 80

then combine those two lines...

net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port 80

and lastly negate the whole thing by enclosing it in parens with 'not' on the outside...


not (net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port 80)


plug that line into your bpf with the double quotes or whatever you need to wrap 
around it and see what happens ;)


FWIW: this was minimally tested on my network via tcpdump and manually checking 
the pcap with wireshark...

NOTES:
1. using 'src net' and 'dst host' plus 'dst port' resulted in only the traffic 
/to/ the server being ignored but all the traffic from the server was seen...

2. removing the 'src' and 'dst' designators denotes all traffic in both 
directions that fits the mask (if i can use that term to describe this object)...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!