[Snort-devel] ipvar: double negation should logically result in inclusion

Jack Pepper pepperjack at ...2971...
Tue Jun 3 14:58:26 EDT 2008


Quoting Jason Brvenik <jasonb at ...402...>:

>> This should logically result in: "All IP addresses MINUS (1.1.1.1
>> <http://1.1.1.1> and IP from 2.2.2.0 <http://2.2.2.0> to 2.2.2.255
>> <http://2.2.2.255> EXCEPT 2.2.2.2 <http://2.2.2.2> and 2.2.2.3
>> <http://2.2.2.3>)", however, it is not supported:
>
> Why wouldn't you just define
> ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]

You misunderstood his question.  Consider this example:

var PROXY 10.2.3.4
var EXTERNAL_NET [!10.0.0.0/8,$PROXY]

alert icmp $EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
Calibration Test (ext - incl proxy)"; itype:8; sid:1029368;   
classtype:misc-activity; rev:6;)

alert icmp !$EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
Calibration Test (negated)"; itype:8; sid:1029368;   
classtype:misc-activity; rev:6;)

Results in this error:
ERROR: snort.conf(13) => Negated IP ranges that are equal to or are  
more-general than non-negated ranges are not allowed. Consider  
inverting the logic: $EXTERNAL_NET.

So the more general statement of the problem is that, "Negated IP  
ranges that are equal to or are more-general than non-negated ranges  
are not allowed.".

Your example fails if any rule references "!$EXTERNAL_NET".

jp




-- 
Framework?  I don't need no steenking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-devel mailing list