[Snort-devel] bug(?): variables in preproc. flow-portscan src/dst-ignore-net

James Affeld jamesaffeld at ...398...
Fri Jul 30 17:28:24 EDT 2004


Problem: variables declared in snort config file not
usable in flow-portscan src-ignore-net or (presumably)
dst-ignore-net UNLESS the variable is first in the
list

Discussion: I have a large number of hosts to exclude
as flow-portscan sources, some of which were already
grouped under a variable.  When I included that
variable at the end of the list and attempted to
restart Snort, I got "Unable to create an IPSet
from..."

Steps to repro:

1) Create a variable in snort.conf

var LOTS_OF_HOSTS
[205.227.137.53/32,216.49.88.143/32,205.227.137.53/32,216.49.88.143/32]

2) add the variable to the src-dst-ignore-net entry in
the flow-portscan section

      src-ignore-net
[X.Y.100.9/32,$LOTS_OF_HOSTS,X.Y.96.8/32,X.Y.96.9/32]
\

3) save config file and restart Snort

Expected result - correct parsing of the list
Actual result - "Unable to create an IPSet from..."

WORKAROUND: if the variable $LOTS_OF_HOSTS is first in
the list, Snort will load.  I have not tested to see
if the variable entries are actually excluded by the
preprocessor, but the list is read and loaded.  Also,
if there is more than one variable, the second
variable can be placed elsewhere in the list.  I
tested putting a second variable in the second
position in the list, as well as the third, after an
entry for an individual host.  

I'd be happy to submit the entire snort.conf and
ruleset, but thought that would be overkill.  This is
not a huge deal, but I didn't see a workaround on
google.  Now it will be...

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-devel mailing list