Snort mailing list archives
Bewildered, Multiple subnets/Vars/Negation
From: "Matt Sheridan" <slavetotruth () hotmail com>
Date: Thu, 03 Mar 2005 18:18:53 +0000
All - I need your help, I cannot figure out what I am missing. I have followed snort doc's/FAQ's as best I can, yet functionality for negating multiple networks - as another variable or directly - does not work. I am very frustrated.
Basically, I want to have a variable to use for "everything but these networks" Simple right? Similar to EXTERNAL_NET...
So I have a list that I want to define as "INSIDE" and the negation as "OUTSIDE"
First I tried:Var INSIDE [199.130.0.0/16,10.0.0.0/8,159.0.0.0/8,172.0.0.0/8,77.0.0.0/8,192.168.0.0/16]
(and) Var OUTSIDE !$INDSIDE for use in a rule such as: alert tcp $OUTSIDE any -> any any ....But application of OUTSIDE (while "accepted" (-T) by snort) doesnt work as it should... subnets from the INSIDE var STILL trigger.... ?!
(I tried making "var OUTSIDE ![$INSIDE]" also, accepted, but same deal) Fine.So I will just define OUTSIDE by itself. This is where I became COMPLETELY bewildered....
var OUTSIDE ![199.130.0.0/16,10.0.0.0/8,159.0.0.0/8,172.0.0.0/8,77.0.0.0/8,192.168.0.0/16]
THAT should do it... Nope. By the way, before you tell me to read the docs, the The Snort FAQ's state:
quote********************** will NOT work: var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16] but this will work: var EXTERNAL_NET ![192.168.40.0/24,10.14.0.0/16] quote********************** So my syntax is correct.However, I apply this new, specific, "as FAQ'ed" var to the NETBIOS NT NULL session rules (530)
alert tcp $OUTSIDE any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session";.....)
and I still trigger on subnets listed directly in the OUTSIDE var.... ?!So, it doesnt work when you negate a standard variable (with many subnets), and it didnt work when I specifically negated the list (as per FAQ) directly in the variable....
I must be missing something simple, but can you please help? I feel crazy. For the record: RH, running 2.3.0 from .conf: (slightly obfuscated)var INSIDE [199.130.0.0/16,188.166.0.0/16,192.168.0.0/16,77.0.0.0/8,172.0.0.0/8,10.0.0.0/8]
var OUTSIDE ![199.130.0.0/16,188.166.0.0/16,192.168.0.0/16,77.0.0.0/8,172.0.0.0/8,10.0.0.0/8]
One Rule that trips when it shouldnt:alert tcp $OUTSIDE any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00| n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-
0347; classtype:attempted-recon; priority:2; sid:530; rev:10;) If Im an idiot, please tell me where!! -Matt ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bewildered, Multiple subnets/Vars/Negation Matt Sheridan (Mar 04)