[Snort-sigs] help needed on var definitions for a rule
erek at ...101...
Wed Mar 27 12:12:18 EST 2002
On Tue, 26 Mar 2002, Ed Davison wrote:
> I am trying to sort out a rule that will enable me to remove a given list of
> ip addresses from a rule. Here are my definitions:
> var HOME_NET1 22.214.171.124/24,126.96.36.199/24,188.8.131.52/24,184.108.40.206/24
> var HOME_NET2 220.127.116.11/24,18.104.22.168/24,22.214.171.124/24,126.96.36.199/24
> var HOME_NET [$HOME_NET1,$HOME_NET2]
> var EXTERNAL_NET !$HOME_NET
> var DNS_SERVERS [188.8.131.52/32,184.108.40.206/32,220.127.116.11/32]
> var DNS 18.104.22.168/32,22.214.171.124/32,126.96.36.199/32
> var DNS_INT [$DNS,$HOME_NET1,$HOME_NET2]
> var DNS_EXT [$DNS,$EXTERNAL_NET]
> The rule that I am trying to modify is for L3retriever so that the Win2K DC
> chatter is removed from the range of addresses as the Win2K DCs use the same
> packet structure as L3retriever does giving TONS of false alerts.
> Here is my rule:
> alert icmp !$DNS_INT any -> !$DNS_EXT any (msg:"ICMP L3retriever Ping";
> content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
> reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
> It is failing with this error:
> FATAL ERROR: ERROR /var/log/snort/conf/.//icmp.rules (16) => Rule IP address
> ([xxx.xxx.xxx.0) didn't translate,please make sure you don't have an invalid IP
> address inthe rule
> I think this is because $DNS_EXT uses $EXTERNAL_NET which is already a
> negated var. Is this the cause? Or is it something else? Is there a
> better way to code an address exception?
Well, first thing that I would check is the define of DNS. Since you're not
using 's around it, it might be having some troubles with that. Check that
and see what happens.
More information about the Snort-sigs