Snort mailing list archives

Re: Network Variables

From: "Seth Dunn" <seth () d2ms com>
Date: Thu, 2 May 2013 14:08:15 -0400

Ok, I set up my bpf file like you suggested, but it isn't working.
Just got this alert::
May 02 14:05:35 CX-Management snort: [1:9990003:1] NT2-SQL
Injection-Exec [Classification: Web Application Attack] [Priority: 1]
{TCP} 10.30.0.21:37215 -> 10.75.45.1:80

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Thursday, May 02, 2013 1:36 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Network Variables

Parenthesis will help:

"not (net 10.10.0.0/24 && dst host 10.75.45.1 && dst port 80) or (not
net 10.30.0.0/24 && dst host 10.75.45.1 && dst port 80)"

James

On 2013-05-02 11:23, Seth Dunn wrote:

So now my question comes, since you were wondering about the rule I 
was using.
This is my rule::
not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net
10.30.0.0/24 and dst host 10.75.45.1 && dst port 80

By my understanding, and my desire to see happen is this.
Traffic from the network 10.10.0.0/24 going to http at 10.75.45.1 
should be ignored.
Also, traffic from the network 10.30.0.0/24 going to http at
10.75.45.1
should be ignored.
All other traffic is still monitored.

Is this correct, base on the rule above, or should it be worded 
another way?


------------------------------------------------------------------------
------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Network Variables, (continued)
- - - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables James Lay (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables Castle, Shane (May 02)
    - Re: Network Variables seth (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables beenph (May 02)
    - Re: Network Variables James Lay (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables waldo kitty (May 02)
    - Re: Network Variables James Lay (May 02)
    - Re: Network Variables waldo kitty (May 02)
    - Message not available
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables waldo kitty (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables Seth Dunn (May 02)
    - Re: Network Variables James Lay (May 02)
    - Re: Network Variables Russ Combs (May 02)
    - Re: Network Variables waldo kitty (May 02)

(Thread continues...)