EXTERNAL_NET definition

[Eric Baur <Eric.Baur () Certegy com>]

        I currently have these lines (amoung others) in my conf file
(a.b.c.0/24 is our real address range):

var HOME_NET [172.18.60.0/23 a.b.c.0/24 10.11.12.0/24]
var EXTERNAL_NET !$HOME_NET
var HTTP_SERVERS any
var HTTP_PORTS any

        Due to the number of machine handling web traffic, and the abundance
of ports that web traffic is flowing on, I don't really want to whittle down
those last two any, but I expected the first two to define $EXTERNAL_NET to
not include any of the address of $HOME_NET.  Then, almost immediatly, snort
caught this (from ACID):

   #0-(4-27)         [snort] WEB-IIS cmd.exe access        2003-03-21
11:00:57
     a.b.c.174:1215         172.18.60.230:1433         TCP   

        The alert is defined as:
   alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002; rev:5;)

        So, how is this rule matching any traffic.  As near as I can tell,
it shouldn't.  Is there some weird interaction of the negation operator
happening here, or am I missing something else?

Thanks,
Eric

PS: snort-1.9.0 running on RH 8.0

-11101011-
Eric Baur
Desktop Support, IS Dept.




-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users