[Snort-sigs] help needed on var definitions for a rule

Erek Adams erek at ...101...
Wed Mar 27 12:12:18 EST 2002


On Tue, 26 Mar 2002, Ed Davison wrote:

> I am trying to sort out a rule that will enable me to remove a given list of
> ip addresses from a rule.  Here are my definitions:
>
> var HOME_NET1 146.6.50.0/24,146.6.155.0/24,146.6.166.0/24,146.6.167.0/24
> var HOME_NET2 128.83.62.0/24,128.83.184.0/24,128.83.153.0/24,128.83.45.0/24
> var HOME_NET [$HOME_NET1,$HOME_NET2]
>
> var EXTERNAL_NET !$HOME_NET
>
> var DNS_SERVERS [146.6.50.200/32,128.83.62.200/32,146.6.167.220/32]
> var DNS 146.6.50.200/32,128.83.62.200/32,146.6.167.220/32
>
> var DNS_INT [$DNS,$HOME_NET1,$HOME_NET2]
> var DNS_EXT [$DNS,$EXTERNAL_NET]
>
> The rule that I am trying to modify is for L3retriever so that the Win2K DC
> chatter is removed from the range of addresses as the Win2K DCs use the same
> packet structure as L3retriever does giving TONS of false alerts.
>
> Here is my rule:
>
> alert icmp !$DNS_INT any -> !$DNS_EXT any (msg:"ICMP L3retriever Ping";
> content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
> reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
>
> It is failing with this error:
>
> FATAL ERROR: ERROR /var/log/snort/conf/.//icmp.rules (16) => Rule IP address
> ([xxx.xxx.xxx.0) didn't translate,please make sure you don't have an invalid IP
> address inthe rule
>
> I think this is because $DNS_EXT uses $EXTERNAL_NET which is already a
> negated var.  Is this the cause?  Or is it something else?  Is there a
> better way to code an address exception?

Well, first thing that I would check is the define of DNS.  Since you're not
using []'s around it, it might be having some troubles with that.  Check that
and see what happens.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-sigs mailing list