Snort mailing list archives

Re: Why is this rule still being tripped?


From: Martin Roesch <roesch () sourcefire com>
Date: Sat, 17 Jan 2004 16:17:15 -0500

Hi Orion,

Can you try:

var PUBLIC_NET [!65.171.192.0/24,!192.168.0.0/24,!65.104.69.192/27,!207.202.149.0/24,! 12.105.80.64/27,!69.9.9.160/27]

There might might be an issue with the way the lists are processed. Try that and let me know how it goes.

     -Marty

On Jan 13, 2004, at 3:24 PM, Orion Poplawski wrote:

Martin Roesch wrote:

Have you tried making a negated TRUSTED_NET set and using that instead of the global negation? I need to look at the logic, but I think that none of the IPs in TRUSTED_NET can match for the rule to fail.

Have you tried it with just the one net you want to ignore to narrow it down to the IP list?

     -Marty

Well, this doesn't change anything (as you would expect):


var TRUSTED_NET [65.171.192.0/24,192.168.0.0/24,65.104.69.192/27,207.202.149.0/ 24,12.105.80.64/27,69.9.9.160/27]
var PUBLIC_NET !$TRUSTED_NET

alert icmp $PUBLIC_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384; classtype:misc-activity; rev:4;)


What I don't understand is that I have:

var HOME_NET [65.171.192.0/24,192.168.0.0/24]
var EXTERNAL_NET !$HOME_NET

and those rules work. Perhaps it is an issue when both IP addrs are negated lists?

If I do:

var TRUSTED_NET 65.104.69.192/27
var PUBLIC_NET !$TRUSTED_NET

Then the rule does not trip on $PUBLIC_NET->$HOME_NET traffic.

--
Orion Poplawski
System Administrator                   303-415-9701 x222
Colorado Research Associates/NWRA      FAX: 303-415-9702
3380 Mitchell Lane, Boulder CO 80301   http://www.co-ra.com


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: