[Snort-devel] Request: Allow double negated lists (was: How to exclude one IP address from HOME_NET)

elof at ...969... elof at ...969...
Wed Oct 3 12:14:17 EDT 2012


Hi Jack.

Perhaps it does, but calculating a list like that to exclude some IPs is 
not practical I think.

I have approx 15 networks in my HOME_NET and in general I would have 0-3 
exclusions per net. That would generate a *huge* HOME_NET variable.
Not very human readable/understandable.

Snort-wise that might not result in a huge performance impact, or it 
will... I don't know.

/Elof


On Wed, 3 Oct 2012, Jack Pepper wrote:

> So elof, does changing HOME_NET to this solve your request?
>
> HOME_NET=[1.1.1.1,2.128.0.0/9,2.64.0.0/10,2.32.0.0/11,2.16.0.0/12,2.8.0.0/13,2.4.0.0/14,2.0.0.0/15,2.3.0.0/16,2.2.128.0/17,2.2.64.0/18,2.2.32.0/19,2.2.16.0/20,2.2.8.0/21,2.2.4.0/22,2.2.0.0/23,2.2.3.0/24,2.2.2.128/25,2.2.2.64/26,2.2.2.32/27,2.2.2.16/28,2.2.2.8/29,2.2.2.4/30,2.2.2.0/31]
>
>
> The above HOME_NET is the same as
> [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]<http://2.2.2.0/24,%21%5B2.2.2.2,2.2.2.3%5D>],
> right?
>
>
>
>
>
> On Wed, Oct 3, 2012 at 4:02 AM, <elof at ...969...> wrote:
>
>>
>> Unfortunetly, your solution fails when you have rules like this:
>>
>> var HOME_NET [1.1.1.1,2.2.2.0/24,![2.2.2.2,**2.2.2.3]<http://2.2.2.0/24,!%5B2.2.2.2,2.2.2.3%5D>
>> ]
>> var EXTERNAL_NET any
>> alert tcp $HOME_NET any -> !$HOME_NET 69
>>
>> !$HOME_NET will expand to a negated list with negated items in it. Double
>> negation is not allowed --> bailout.
>>
>>
>> Example:
>> I have rules that must *only* match outgoing traffic from the HOME_NET to
>> the internet, not internal traffic from ha HOME_NET client to a HOME_NET
>> server.
>> Like if I only want an alert when snort see a TFTP filetransfer towards
>> the internet, not internal TFTP transfers:
>>
>> original rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 69
>> modified rule: alert tcp $HOME_NET any -> !$HOME_NET 69
>>
>> or rules like this:
>> alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53
>>
>> ...will fail with:
>>
>> ERROR: snort.conf(1234) Negated IP ranges that are more general than
>> non-negated ranges are not allowed. Consider inverting the logic:
>> !$DNS_SERVERS. Fatal Error, Quitting..
>>
>>
>>
>> I made a request to the snort developers, like four years ago, to fix this
>> and allow negated items in a negated list. I didn't get any response if I
>> recall correctly.
>>
>> I still request this, since I use rules with !$HOME_NET, !$DNS_SERVERS,
>> etc.
>>
>> /Elof
>>
>>
>>
>> On Mon, 1 Oct 2012, Jack Pepper wrote:
>>
>>  I did not know this was available.  that's a way better (and more
>>> inuitive) solution.
>>>      ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,**2.2.2.3]<http://2.2.2.0/24,!%5B2.2.2.2,2.2.2.3%5D>
>>> ]
>>>
>>> jp
>>>
>>> On Mon, Oct 1, 2012 at 4:26 PM, Joel Esler <jesler at ...402...> wrote:
>>>
>>>  On Oct 1, 2012, at 3:20 PM, Jack Pepper <pepperjack at ...3334...**
>>>> com <pepperjack at ...3332...>>
>>>> wrote:
>>>>
>>>> the subject of how to exclude one IP address from HOME_NET still comes up
>>>> occasionally.  Usually it's a proxy server.  I wrote a little program a
>>>> long time ago (2008?) to create a HOME_NET statement with the proxy
>>>> address
>>>> excluded.  Herewith I offer it to the public (should a done that a long
>>>> time ago).
>>>>      http://www.autoshun.org/**exclusion.asp<http://www.autoshun.org/exclusion.asp>
>>>>
>>>>
>>>> Please see this section of the Snort Manual:
>>>>
>>>> http://manual.snort.org/**node16.html#**SECTION00312000000000000000<http://manual.snort.org/node16.html#SECTION00312000000000000000>
>>>>
>>>> As it references how to exclude certain IPs within a variable.
>>>>
>>>> Also Cc'ing the Snort-users list, as this is a Snort issue (not an
>>>> emerging-sigs issue) and someone may find it useful.
>>>>
>>>> --
>>>> Joel Esler
>>>> Senior Research Engineer, VRT
>>>> OpenSource Community Manager
>>>> Sourcefire
>>>>
>>>>
>>>
>




More information about the Snort-devel mailing list