Snort mailing list archives
EXTERNAL_NET definition
From: Eric Baur <Eric.Baur () Certegy com>
Date: Fri, 21 Mar 2003 11:47:40 -0800
I currently have these lines (amoung others) in my conf file (a.b.c.0/24 is our real address range): var HOME_NET [172.18.60.0/23 a.b.c.0/24 10.11.12.0/24] var EXTERNAL_NET !$HOME_NET var HTTP_SERVERS any var HTTP_PORTS any Due to the number of machine handling web traffic, and the abundance of ports that web traffic is flowing on, I don't really want to whittle down those last two any, but I expected the first two to define $EXTERNAL_NET to not include any of the address of $HOME_NET. Then, almost immediatly, snort caught this (from ACID): #0-(4-27) [snort] WEB-IIS cmd.exe access 2003-03-21 11:00:57 a.b.c.174:1215 172.18.60.230:1433 TCP The alert is defined as: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;) So, how is this rule matching any traffic. As near as I can tell, it shouldn't. Is there some weird interaction of the negation operator happening here, or am I missing something else? Thanks, Eric PS: snort-1.9.0 running on RH 8.0 -11101011- Eric Baur Desktop Support, IS Dept. ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- EXTERNAL_NET definition Eric Baur (Mar 21)
- <Possible follow-ups>
- RE: EXTERNAL_NET definition Eric Baur (Mar 21)