[Snort-devel] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)
elof at ...969...
elof at ...969...
Wed Oct 3 11:16:53 EDT 2012
Short answer: No
Not a solution. I want snort to sniff on all the traffic, nothing should
be filtered out by bpf.
Well, it could probably be done with supression, but that would be quite
ugly. I have to invent a new rules-management-function that would need to
be setup to automatically supress the HOME_NET networks, in the correct
direction, based on what rules has an inverted variable.
(trying to handle this supression manualy is out of the question)
So, currently, snort prohibit me from adding exclusions to my $HOME_NET.
It is more important to me to be able to define more granular IP flow
criterias in the rules than it is to be able to exclude specific IPs or
nets from my HOME_NETs.
That is, I rather live with the "false positives" from not being able to
exclude some IPs from HOME_NET than not being able to define rules that
only match true outgoing or true incoming traffic to the HOME_NET related
to the big bad Internet.
But naturally I want both. :-)
I want snort to be able to handle variables like HOME_NET where I have
excluded my proxy, and at the same time have rules with "$HOME_NET
any -> !$HOME_NET 69" and "!$DNS_SERVERS any -> $DNS_SERVERS 53" in them.
On Wed, 3 Oct 2012, Joel Esler wrote:
> Can you use thresholding or a bpf to solve this problem?
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> On Oct 3, 2012, at 5:02 AM, elof at ...969... wrote:
>> Unfortunetly, your solution fails when you have rules like this:
>> var HOME_NET [18.104.22.168,22.214.171.124/24,![126.96.36.199,188.8.131.52]]
>> var EXTERNAL_NET any
>> alert tcp $HOME_NET any -> !$HOME_NET 69
>> !$HOME_NET will expand to a negated list with negated items in it. Double negation is not allowed --> bailout.
>> I have rules that must *only* match outgoing traffic from the HOME_NET to the internet, not internal traffic from ha HOME_NET client to a HOME_NET server.
>> Like if I only want an alert when snort see a TFTP filetransfer towards the internet, not internal TFTP transfers:
>> original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
>> modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69
>> or rules like this:
>> alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53
>> ...will fail with:
>> ERROR: snort.conf(1234) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: !$DNS_SERVERS. Fatal Error, Quitting..
>> I made a request to the snort developers, like four years ago, to fix this and allow negated items in a negated list. I didn't get any response if I recall correctly.
>> I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS, etc.
>> On Mon, 1 Oct 2012, Jack Pepper wrote:
>>> I did not know this was available. that's a way better (and more
>>> inuitive) solution.
>>> ipvar EXAMPLE [184.108.40.206,220.127.116.11/24,![18.104.22.168,22.214.171.124]]
>>> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...402...> wrote:
>>>> On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...3332...>
>>>> the subject of how to exclude one IP address from HOME_NET still comes up
>>>> occasionally. Usually it's a proxy server. I wrote a little program a
>>>> long time ago (2008?) to create a HOME_NET statement with the proxy address
>>>> excluded. Herewith I offer it to the public (should a done that a long
>>>> time ago).
>>>> Please see this section of the Snort Manual:
>>>> As it references how to exclude certain IPs within a variable.
>>>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>>>> emerging-sigs issue) and someone may find it useful.
>>>> Joel Esler
>>>> Senior Research Engineer, VRT
>>>> OpenSource Community Manager
More information about the Snort-devel