Snort mailing list archives

RE: home_net and ext_net question

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Fri, 25 Apr 2003 12:10:06 -0400

Let's take the "funny things" a little farther.  In the example: 

    var HOME_NET      [10.0.1.0/24,10.0.2.0/24]
    var EXTERNAL_NET  !$HOME_NET

It is my understanding that if you have a rule that is something like "alert
tcp $EXTERNAL_NET any -> $HOME_NET 80 ..." you could actually get alerts
from within the 10.0.2.0 network.  

Why?  Because Snort performs a first match between source address and
destination.  Therefore, a packet from 10.0.2.0/24 satisfies the
!10.0.1.0/24.  

Maybe I'm mixed up here (always a good possibility), but I seem to remember
that when multiple networks are included in a rule the rule treats the
networks in an OR fashion not an AND fashion.  

Do any of the Snort Dev Team want to comment on this?  Marty?!  


-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: Thursday, April 24, 2003 6:37 PM
To: Snort-Users (E-mail)
Subject: RE: [Snort-users] home_net and ext_net question


At 02:38 PM 4/24/2003 -0700, Everist, Benjamin S. (NASWI) wrote:

<snip>

Having HOME_NET encapsulate two or more networks can do funny things to

the

Snort rules when one simply negates EXTERNAL_NET (i.e., var EXTERNAL_NET
!$HOME_NET, or some variant).


What kinds of funny things?



It will do funny things if you try to do HOME_NET as a comma-delimited list 
and forget to put ['s around it. Otherwise it should be fine.

![10.0.0.0/8,192.168.1.0/24] is different than ! 10.0.0.0/8,192.168.1.0/24

I suspect this is where the "funny things" experience comes in, from 
someone errantly declaring:

var HOME_NET 10.0.0.0/8,192.168.1.0/24
var EXTERNAL_NET !$HOME_NET


Ooops. 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

home_net and ext_net question Mike Zupan (Apr 23)
- <Possible follow-ups>
- Re: home_net and ext_net question Neil Dickey (Apr 23)
- RE: home_net and ext_net question L. Christopher Luther (Apr 23)
- RE: home_net and ext_net question Everist, Benjamin S. (NASWI) (Apr 24)
  - RE: home_net and ext_net question Matt Kettler (Apr 24)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Matt Kettler (Apr 25)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Neil Dickey (Apr 25)
  - RE: home_net and ext_net question Matt Kettler (Apr 25)