Re: Snort home net and external net question

[Jason Wallace <jason.r.wallace () gmail com>]

That error is because the /16 contains the /24 (bigger = more general)

You can do ... [10.1.0.0/16, ![10.1.1.0/24]]

But you can not do ... [10.1.1.0/24,![10.1.0.0/16]]

Also, order does not matter.


pp. 20-21 Snort Manual

IP Variables and IP Lists

IPs may be specified individually, in a list, as a CIDR block, or any
combination of the three. If IPv6 support is
enabled, IP variables should be specified using ’ipvar’ instead of
’var’. Using ’var’ for an IP variable is still allowed
for backward compatibility, but it will be deprecated in a future release.

IPs, IP lists, and CIDR blocks may be negated with ’!’. Negation is
handled differently compared with Snort versions
2.7.x and earlier. Previously, each element in a list was logically
OR’ed together. IP lists now OR non-negated
elements and AND the result with the OR’ed negated elements.

The following example list will match the IP 1.1.1.1 and IP from
2.2.2.0 to 2.2.2.255, with the exception of IPs 2.2.2.2
and 2.2.2.3.

[1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]

The order of the elements in the list does not matter. The element
’any’ can be used to match all IPs, although ’!any’
is not allowed. Also, negated IP ranges that are more general than
non-negated IP ranges are not allowed.

See below for some valid examples if IP variables and IP lists.

ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]


Wally

P.S. It being Friday and all... I think that is worth 1 drink...

http://blog.joelesler.net/2008/02/snort-drinking-game-by-erek-adams.html



On Fri, Sep 3, 2010 at 1:54 PM, waldo kitty <wkitty42 () windstream net> wrote:
> On 9/3/2010 12:52, Joel Esler wrote:
> > On Sep 3, 2010, at 11:01 AM, Andy Berryman wrote:
> >
> > > If I have my home net of snort set to:
> > > var HOME_NET [10.215.0.0/16]
> > > How can I make my external net be !$HOME_NET and 10.215.40.0/24 subnet?
> >
> > With recent versions of Snort,
>
> please define "recent"... 2.8.3?
>
> > you can do positives and negatives in the same
> > variable, but the more specific entry needs to come first.
>  > var HOME_NET [10.215.0.0/16]
>  > var EXTERNAL_NET [10.216.40.0/16,!$HOME_NET]
>
> [aside] bug alert in the above! 2 bugs exist [/aside]
>
> now that's nice and a lot easier than using a CIDR calculator to work out the
> ranges as i did for my reply...
>
> if you have two or more sub-ranges, they all go first before !HOME_NET?
> does their numerical order matter?
>
> ie:
> var HOME_NET [10.215.0.0/16]
> var EXTERNAL_NET [10.215.33.0/24,10.215.40.0/24,10.215.77.0/24,!$HOME_NET]
>
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users