[Snort-sigs] help needed on var definitions for a rule

Ed Davison bfdi533 at ...471...
Tue Mar 26 12:16:14 EST 2002


I am trying to sort out a rule that will enable me to remove a given list of
ip addresses from a rule.  Here are my definitions:

var HOME_NET1 146.6.50.0/24,146.6.155.0/24,146.6.166.0/24,146.6.167.0/24
var HOME_NET2 128.83.62.0/24,128.83.184.0/24,128.83.153.0/24,128.83.45.0/24
var HOME_NET [$HOME_NET1,$HOME_NET2]

var EXTERNAL_NET !$HOME_NET

var DNS_SERVERS [146.6.50.200/32,128.83.62.200/32,146.6.167.220/32]
var DNS 146.6.50.200/32,128.83.62.200/32,146.6.167.220/32

var DNS_INT [$DNS,$HOME_NET1,$HOME_NET2]
var DNS_EXT [$DNS,$EXTERNAL_NET]

The rule that I am trying to modify is for L3retriever so that the Win2K DC
chatter is removed from the range of addresses as the Win2K DCs use the same
packet structure as L3retriever does giving TONS of false alerts.

Here is my rule:

alert icmp !$DNS_INT any -> !$DNS_EXT any (msg:"ICMP L3retriever Ping";
content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)

It is failing with this error:

FATAL ERROR: ERROR /var/log/snort/conf/.//icmp.rules (16) => Rule IP address
([xxx.xxx.xxx.0) didn't translate,please make sure you don't have an invalid IP
address inthe rule

I think this is because $DNS_EXT uses $EXTERNAL_NET which is already a
negated var.  Is this the cause?  Or is it something else?  Is there a
better way to code an address exception?


-- 

------------------------------------------------------------------------------
Ed Davison                                                (512) 475-8090 voice
Sr. Systems Analyst/Database Administrator                (512) 475-8681 fax
McCombs School of Business
http://www.bus.utexas.edu/services/cbacc/dbsupport
------------------------------------------------------------------------------





More information about the Snort-sigs mailing list