[Snort-devel] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)

Joel Esler jesler at ...402...
Wed Oct 3 10:30:11 EDT 2012


Can you use thresholding or a bpf to solve this problem?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 3, 2012, at 5:02 AM, elof at ...969... wrote:

> 
> Unfortunetly, your solution fails when you have rules like this:
> 
> var HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
> var EXTERNAL_NET any
> alert tcp $HOME_NET any -> !$HOME_NET 69
> 
> !$HOME_NET will expand to a negated list with negated items in it. Double negation is not allowed --> bailout.
> 
> 
> Example:
> I have rules that must *only* match outgoing traffic from the HOME_NET to the internet, not internal traffic from ha HOME_NET client to a HOME_NET server.
> Like if I only want an alert when snort see a TFTP filetransfer towards the internet, not internal TFTP transfers:
> 
> original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
> modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69
> 
> or rules like this:
> alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53
> 
> ...will fail with:
> 
> ERROR: snort.conf(1234) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: !$DNS_SERVERS. Fatal Error, Quitting..
> 
> 
> 
> I made a request to the snort developers, like four years ago, to fix this and allow negated items in a negated list. I didn't get any response if I recall correctly.
> 
> I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS, etc.
> 
> /Elof
> 
> 
> 
> On Mon, 1 Oct 2012, Jack Pepper wrote:
> 
>> I did not know this was available.  that's a way better (and more
>> inuitive) solution.
>>     ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]
>> 
>> jp
>> 
>> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...402...> wrote:
>> 
>>> On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...3332...>
>>> wrote:
>>> 
>>> the subject of how to exclude one IP address from HOME_NET still comes up
>>> occasionally.  Usually it's a proxy server.  I wrote a little program a
>>> long time ago (2008?) to create a HOME_NET statement with the proxy address
>>> excluded.  Herewith I offer it to the public (should a done that a long
>>> time ago).
>>>     http://www.autoshun.org/exclusion.asp
>>> 
>>> 
>>> Please see this section of the Snort Manual:
>>> 
>>> http://manual.snort.org/node16.html#SECTION00312000000000000000
>>> 
>>> As it references how to exclude certain IPs within a variable.
>>> 
>>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>>> emerging-sigs issue) and someone may find it useful.
>>> 
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>> 
>> 





More information about the Snort-devel mailing list