Re: Network Variables

[James Lay <jlay () slave-tothe-box net>]

Nicely done Waldo.

James

On 2013-05-02 13:00, waldo kitty wrote:
> On 5/2/2013 13:23, Seth Dunn wrote:
> > So now my question comes, since you were wondering about the rule I 
> > was
> > using.
> > This is my rule::
> > not net 10.10.0.0/24 and dst host 10.75.45.1&&  dst port 80 or not 
> > net
> > 10.30.0.0/24 and dst host 10.75.45.1&&  dst port 80
>
> ok, i'm going to try to break this down and interpret your wants one
> section at
> a time...
>
> > By my understanding, and my desire to see happen is this.
> > Traffic from the network 10.10.0.0/24 going to http at 10.75.45.1 
> > should
> > be ignored.
>
> (net 10.10.0.0/24 and (host 10.75.45.1 and port 80))
>
> > Also, traffic from the network 10.30.0.0/24 going to http at 
> > 10.75.45.1
> > should be ignored.
>
> (net 10.30.0.0/24 and (host 10.75.45.1 and port 80))
>
> > All other traffic is still monitored.
>
> the above should qualify your two wants... now, let's streamline them
> a bit to
> make it more legible...
>
> first, let's combine the two source networks into one statement...
>
> net (10.10.0.0/24 or 10.30.0.0/24)
>
> now the destination host and destination port...
>
> host 10.75.45.1 and port 80
>
> then combine those two lines...
>
> net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port 80
>
> and lastly negate the whole thing by enclosing it in parens with
> 'not' on the
> outside...
>
>
> not (net (10.10.0.0/24 or 10.30.0.0/24) and host 10.75.45.1 and port 
> 80)
>
>
> plug that line into your bpf with the double quotes or whatever you
> need to wrap
> around it and see what happens ;)
>
>
> FWIW: this was minimally tested on my network via tcpdump and
> manually checking
> the pcap with wireshark...
>
> NOTES:
> 1. using 'src net' and 'dst host' plus 'dst port' resulted in only
> the traffic
> /to/ the server being ignored but all the traffic from the server was 
> seen...
>
> 2. removing the 'src' and 'dst' designators denotes all traffic in 
> both
> directions that fits the mask (if i can use that term to describe
> this object)...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!