Snort mailing list archives

Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)

From: elof () sentor se
Date: Wed, 3 Oct 2012 18:14:17 +0200 (CEST)


Hi Jack.

Perhaps it does, but calculating a list like that to exclude some IPs is 
not practical I think.

I have approx 15 networks in my HOME_NET and in general I would have 0-3 
exclusions per net. That would generate a *huge* HOME_NET variable.
Not very human readable/understandable.

Snort-wise that might not result in a huge performance impact, or it 
will... I don't know.

/Elof


On Wed, 3 Oct 2012, Jack Pepper wrote:

So elof, does changing HOME_NET to this solve your request?

HOME_NET=[1.1.1.1,2.128.0.0/9,2.64.0.0/10,2.32.0.0/11,2.16.0.0/12,2.8.0.0/13,2.4.0.0/14,2.0.0.0/15,2.3.0.0/16,2.2.128.0/17,2.2.64.0/18,2.2.32.0/19,2.2.16.0/20,2.2.8.0/21,2.2.4.0/22,2.2.0.0/23,2.2.3.0/24,2.2.2.128/25,2.2.2.64/26,2.2.2.32/27,2.2.2.16/28,2.2.2.8/29,2.2.2.4/30,2.2.2.0/31]


The above HOME_NET is the same as
[1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]<http://2.2.2.0/24,%21%5B2.2.2.2,2.2.2.3%5D>],
right?





On Wed, Oct 3, 2012 at 4:02 AM, <elof () sentor se> wrote:


Unfortunetly, your solution fails when you have rules like this:

var HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,**2.2.2.3]<http://2.2.2.0/24,!%5B2.2.2.2,2.2.2.3%5D>
]
var EXTERNAL_NET any
alert tcp $HOME_NET any -> !$HOME_NET 69

!$HOME_NET will expand to a negated list with negated items in it. Double
negation is not allowed --> bailout.


Example:
I have rules that must *only* match outgoing traffic from the HOME_NET to
the internet, not internal traffic from ha HOME_NET client to a HOME_NET
server.
Like if I only want an alert when snort see a TFTP filetransfer towards
the internet, not internal TFTP transfers:

original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69

or rules like this:
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53

...will fail with:

ERROR: snort.conf(1234) Negated IP ranges that are more general than
non-negated ranges are not allowed. Consider inverting the logic:
!$DNS_SERVERS. Fatal Error, Quitting..



I made a request to the snort developers, like four years ago, to fix this
and allow negated items in a negated list. I didn't get any response if I
recall correctly.

I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS,
etc.

/Elof



On Mon, 1 Oct 2012, Jack Pepper wrote:

 I did not know this was available.  that's a way better (and more

inuitive) solution.
     ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,**2.2.2.3]<http://2.2.2.0/24,!%5B2.2.2.2,2.2.2.3%5D>
]

jp

On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler () sourcefire com> wrote:

 On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack@afferentsecurity.**

com <pepperjack () afferentsecurity com>>
wrote:

the subject of how to exclude one IP address from HOME_NET still comes up
occasionally.  Usually it's a proxy server.  I wrote a little program a
long time ago (2008?) to create a HOME_NET statement with the proxy
address
excluded.  Herewith I offer it to the public (should a done that a long
time ago).
     http://www.autoshun.org/**exclusion.asp<http://www.autoshun.org/exclusion.asp>


Please see this section of the Snort Manual:

http://manual.snort.org/**node16.html#**SECTION00312000000000000000<http://manual.snort.org/node16.html#SECTION00312000000000000000>

As it references how to exclude certain IPs within a variable.

Also Cc'ing the Snort-users list, as this is a Snort issue (not an
emerging-sigs issue) and someone may find it useful.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: [Emerging-Sigs] How to exclude one IP address from HOME_NET Joel Esler (Oct 01)
- Re: [Emerging-Sigs] How to exclude one IP address from HOME_NET Jack Pepper (Oct 01)
  - Re: [Emerging-Sigs] How to exclude one IP address from HOME_NET Joel Esler (Oct 01)
  - Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) elof (Oct 03)
    - Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) Joel Esler (Oct 03)
    - Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) elof (Oct 03)
    - Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) Jack Pepper (Oct 03)
    - Re: Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET) elof (Oct 03)