[Snort-sigs] help needed on var definitions for a rule

Ed Davison bfdi533 at ...471...
Tue Mar 26 12:16:14 EST 2002

I am trying to sort out a rule that will enable me to remove a given list of
ip addresses from a rule.  Here are my definitions:

var HOME_NET1,,,
var HOME_NET2,,,


var DNS_SERVERS [,,]
var DNS,,


The rule that I am trying to modify is for L3retriever so that the Win2K DC
chatter is removed from the range of addresses as the Win2K DCs use the same
packet structure as L3retriever does giving TONS of false alerts.

Here is my rule:

alert icmp !$DNS_INT any -> !$DNS_EXT any (msg:"ICMP L3retriever Ping";
content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)

It is failing with this error:

FATAL ERROR: ERROR /var/log/snort/conf/.//icmp.rules (16) => Rule IP address
([xxx.xxx.xxx.0) didn't translate,please make sure you don't have an invalid IP
address inthe rule

I think this is because $DNS_EXT uses $EXTERNAL_NET which is already a
negated var.  Is this the cause?  Or is it something else?  Is there a
better way to code an address exception?


Ed Davison                                                (512) 475-8090 voice
Sr. Systems Analyst/Database Administrator                (512) 475-8681 fax
McCombs School of Business

More information about the Snort-sigs mailing list