[Snort-devel] ipvar: double negation should logically result in inclusion

Jason Brvenik jasonb at ...402...
Wed Jun 4 10:41:02 EDT 2008



Jack Pepper wrote:
> Quoting Jason Brvenik <jasonb at ...402...>:
> 
>>> This should logically result in: "All IP addresses MINUS (1.1.1.1
>>> <http://1.1.1.1> and IP from 2.2.2.0 <http://2.2.2.0> to 2.2.2.255
>>> <http://2.2.2.255> EXCEPT 2.2.2.2 <http://2.2.2.2> and 2.2.2.3
>>> <http://2.2.2.3>)", however, it is not supported:
>> Why wouldn't you just define
>> ipvar EXTERNAL_NET [!1.1.1.1/32,!2.2.2.0/24,[2.2.2.2,2.2.2.3]]
> 
> You misunderstood his question.  Consider this example:
> 
> var PROXY 10.2.3.4
> var EXTERNAL_NET [!10.0.0.0/8,$PROXY]
> 
> alert icmp $EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
> Calibration Test (ext - incl proxy)"; itype:8; sid:1029368;   
> classtype:misc-activity; rev:6;)
> 
> alert icmp !$EXTERNAL_NET any -> 10.2.2.43 any (msg:"ICMP PING  
> Calibration Test (negated)"; itype:8; sid:1029368;   
> classtype:misc-activity; rev:6;)
> 
> Results in this error:
> ERROR: snort.conf(13) => Negated IP ranges that are equal to or are  
> more-general than non-negated ranges are not allowed. Consider  
> inverting the logic: $EXTERNAL_NET.
> 
> So the more general statement of the problem is that, "Negated IP  
> ranges that are equal to or are more-general than non-negated ranges  
> are not allowed.".

That error still makes sense since you would just leave the more general 
range out of the variable, never included, it is a redundant statement.

> 
> Your example fails if any rule references "!$EXTERNAL_NET".

We are talking about edge cases. When things like this come up my 
general response is "Don't do that"

The reality is that it is easy to tune it accordingly.

I'm failing to see a general use case for this kind of behavior, let 
alone one that offsets the potential for unintended consequence.

> 
> jp
> 
> 
> 
> 




More information about the Snort-devel mailing list