Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bewildered, Multiple subnets/Vars/Negation

From: "Matt Sheridan" <slavetotruth () hotmail com>
Date: Thu, 03 Mar 2005 18:18:53 +0000
All - I need your help, I cannot figure out what I am missing. I have followed snort doc's/FAQ's as best I can, yet functionality for negating multiple networks - as another variable or directly - does not work. I am very frustrated.
Basically, I want to have a variable to use for "everything but these networks" Simple right? Similar to EXTERNAL_NET...
So I have a list that I want to define as "INSIDE" and the negation as "OUTSIDE" 

First I tried:
Var INSIDE [199.130.0.0/16,10.0.0.0/8,159.0.0.0/8,172.0.0.0/8,77.0.0.0/8,192.168.0.0/16] 

(and)

Var OUTSIDE !$INDSIDE

for use in a rule such as:

alert tcp $OUTSIDE any -> any any ....
But application of OUTSIDE (while "accepted" (-T) by snort) doesnt work as it should... subnets from the INSIDE var STILL trigger.... ?! 

(I tried making "var OUTSIDE ![$INSIDE]" also, accepted, but same deal)

Fine.
So I will just define OUTSIDE by itself. This is where I became COMPLETELY bewildered....
var OUTSIDE ![199.130.0.0/16,10.0.0.0/8,159.0.0.0/8,172.0.0.0/8,77.0.0.0/8,192.168.0.0/16]
THAT should do it... Nope. By the way, before you tell me to read the docs, the The Snort FAQ's state: 

quote**********************

will NOT work:

   var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]

but this will work:

   var EXTERNAL_NET ![192.168.40.0/24,10.14.0.0/16]

quote**********************

So my syntax is correct.
However, I apply this new, specific, "as FAQ'ed" var to the NETBIOS NT NULL session rules (530)
alert tcp $OUTSIDE any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session";.....) 

and I still trigger on subnets listed directly in the OUTSIDE var.... ?!
So, it doesnt work when you negate a standard variable (with many subnets), and it didnt work when I specifically negated the list (as per FAQ) directly in the variable.... 

I must be missing something simple, but can you please help? I feel crazy.

For the record:
RH, running 2.3.0

from .conf: (slightly obfuscated)
var INSIDE [199.130.0.0/16,188.166.0.0/16,192.168.0.0/16,77.0.0.0/8,172.0.0.0/8,10.0.0.0/8]
var OUTSIDE ![199.130.0.0/16,188.166.0.0/16,192.168.0.0/16,77.0.0.0/8,172.0.0.0/8,10.0.0.0/8] 

One Rule that trips when it shouldnt:
alert tcp $OUTSIDE any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00| n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000- 
0347; classtype:attempted-recon; priority:2; sid:530; rev:10;)


If Im an idiot, please tell me where!!

-Matt




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: