[Snort-sigs] Fw: [Snort-users] negation symbol

Nigel Houghton nigel at ...435...
Thu Dec 9 18:15:03 EST 2004

This was cross-posted I see, not sure why you would want to do that, but
it happens. Anyway, I'm sending back to snort-sigs.

On  0, reynald <rtm at ...2840...> allegedly wrote:
> hi,
> I tried it but i still have the same result.
> thanks,
> reynald.
> ----- Original Message ----- 
> From: Esler, Joel 
> To: 'reynald' 
> Sent: Thursday, December 09, 2004 3:26 PM
> Subject: RE: [Snort-users] negation symbol
> Take the brackets off.  !xxx.xxx.xxx.xxx/24 (this will block all traffic to yahoo you know that right)

nope, that's not the problem.

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of reynald
> Sent: Thursday, December 09, 2004 1:44 AM
> To: snort-users at lists.sourceforge.net
> Cc: Reynald Mahinay
> Subject: [Snort-users] negation symbol
> hello,
> I have this rule that will block all yahoo request coming from our network except for a particular segment. 
> ex:
> alert tcp ![xxx.xxx.xxx.xxx/24] any -> any any [msg: "yahoo block test"; content: "Yahoo"; nocase; resp: rst_all;)
> It does block all yahoo request but it also blocks the segment i excluded. 
> Did i missed anything?

Yes. Your rule is malformed. The rule body needs to start with a "(" not
a "[" and you really don't want to use the "any any" in a rule that
resets any connection. Not that I am condoning using block rules unless you 
absoutely and clearly know what you are doing, but your rule should look 
something like this:

 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test"; content:
 "Yahoo";nocase; resp: rst_all;)

Or you could use the "log" keyword instead of alert. But that's up to you. 
You certainly do not want to use "any any" on either side of that direction 
arrow, and you probably should make sure the connection is valid lest you 
keep resetting valid connections. Like I said, you _really_ need to make 
it very clear what you are trying to achieve here and you _really_ need to 
know what you are doing when it comes to resetting connections.

> any help will be appreciated.
> thanks,
> reynald
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Stewie: You know, I rather like this God fellow. Very theatrical, 
         you know. Pestilence here, a plague there. Omnipotence 
				 ...gotta get me some of that.

More information about the Snort-sigs mailing list