[Snort-sigs] help needed on var definitions for a rule

Erek Adams erek at ...101...
Wed Mar 27 12:12:18 EST 2002

On Tue, 26 Mar 2002, Ed Davison wrote:

> I am trying to sort out a rule that will enable me to remove a given list of
> ip addresses from a rule.  Here are my definitions:
> var HOME_NET1,,,
> var HOME_NET2,,,
> var DNS_SERVERS [,,]
> var DNS,,
> The rule that I am trying to modify is for L3retriever so that the Win2K DC
> chatter is removed from the range of addresses as the Win2K DCs use the same
> packet structure as L3retriever does giving TONS of false alerts.
> Here is my rule:
> alert icmp !$DNS_INT any -> !$DNS_EXT any (msg:"ICMP L3retriever Ping";
> content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
> reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
> It is failing with this error:
> FATAL ERROR: ERROR /var/log/snort/conf/.//icmp.rules (16) => Rule IP address
> ([xxx.xxx.xxx.0) didn't translate,please make sure you don't have an invalid IP
> address inthe rule
> I think this is because $DNS_EXT uses $EXTERNAL_NET which is already a
> negated var.  Is this the cause?  Or is it something else?  Is there a
> better way to code an address exception?

Well, first thing that I would check is the define of DNS.  Since you're not
using []'s around it, it might be having some troubles with that.  Check that
and see what happens.

Erek Adams

More information about the Snort-sigs mailing list