[Snort-devel] ipvar: double negation should logically result in inclusion

Cees celzinga at ...2499...
Tue Jun 3 10:29:09 EDT 2008


Hi list,

This post is a follow-up on a thread on the snort-users list (
http://marc.info/?l=snort-users&m=121207471707236&w=2)

When declaring variables using ipvar, it's confusing that double negation
doesn't result in inclusion. For example a declaration from
README.variables:

ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]

("Will match the IP 1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255, with the
exception of 2.2.2.2 and 2.2.2.3.")

When inverting the logic for EXTERNAL_NET:
ipvar EXTERNAL_NET !$HOME_NET

This should logically result in: "All IP addresses MINUS (1.1.1.1 and IP
from 2.2.2.0 to 2.2.2.255 EXCEPT 2.2.2.2 and 2.2.2.3)", however, it is not
supported:

ERROR: Undefined variable name: (/etc/snort/rules/bad-traffic.rules:27):
EXTERNAL_NET

I would be really handy  declare variables like this. Is it possible to
support this in future versions?

Tested with Snort version 2.8.1 with IPv6 support
Snort.conf:
--
ipvar HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
ipvar EXTERNAL_NET !$HOME_NET
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SNMP_SERVERS $HOME_NET

portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var RULE_PATH /etc/snort/rules

include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
--

Thanks, Cees
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080603/0f4dda37/attachment.html>


More information about the Snort-devel mailing list