[Snort-devel] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)

elof at ...969... elof at ...969...
Wed Oct 3 05:02:46 EDT 2012


Unfortunetly, your solution fails when you have rules like this:

var HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
var EXTERNAL_NET any
alert tcp $HOME_NET any -> !$HOME_NET 69

!$HOME_NET will expand to a negated list with negated items in it. Double 
negation is not allowed --> bailout.


Example:
I have rules that must *only* match outgoing traffic from the HOME_NET to 
the internet, not internal traffic from ha HOME_NET client to a HOME_NET 
server.
Like if I only want an alert when snort see a TFTP filetransfer towards 
the internet, not internal TFTP transfers:

original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69

or rules like this:
alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53

...will fail with:

ERROR: snort.conf(1234) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: !$DNS_SERVERS. 
Fatal Error, Quitting..



I made a request to the snort developers, like four years ago, to fix 
this and allow negated items in a negated list. I didn't get any response 
if I recall correctly.

I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS, 
etc.

/Elof



On Mon, 1 Oct 2012, Jack Pepper wrote:

> I did not know this was available.  that's a way better (and more
> inuitive) solution.
>      ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
>
> jp
>
> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...402...> wrote:
>
>> On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...3332...>
>> wrote:
>>
>> the subject of how to exclude one IP address from HOME_NET still comes up
>> occasionally.  Usually it's a proxy server.  I wrote a little program a
>> long time ago (2008?) to create a HOME_NET statement with the proxy address
>> excluded.  Herewith I offer it to the public (should a done that a long
>> time ago).
>>      http://www.autoshun.org/exclusion.asp
>>
>>
>> Please see this section of the Snort Manual:
>>
>> http://manual.snort.org/node16.html#SECTION00312000000000000000
>>
>> As it references how to exclude certain IPs within a variable.
>>
>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>> emerging-sigs issue) and someone may find it useful.
>>
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>




More information about the Snort-devel mailing list