[Snort-sigs] Basic question  syntax question about excluding a subnet of a larger subnet...
mkettler at ...189...
Thu Mar 16 12:51:02 EST 2006
> What is the correct way to exclude a subnet from a larger network in a
You have to define it as multiple subnet additions. You can't subtract out a
range that's already been added, because the behavior of a , is an "or"
operation, not an AND.
> var NET1 10.0.0.0/8 <http://10.0.0.0/8>
> var NET2 10.7.0.0/16 <http://10.7.0.0/16>
> var NET3 10.14.0.0/16 <http://10.14.0.0/16>
> alert tcp [$NET1,!$NET2] ANY -> $NET3 ANY ...blah, blah, blah...
> Is that the right way to watch for something from NET1 but not in NET2
No. That won't work, you can't do subtraction.
[$NET1,!$NET2] will match anything in NET1 *OR* anything not in NET2.
Since net2 is a subset of net1 this makes it a logical equivalent to "any". The
first clause will match all of net1, *including* the IPs in net2. The second
clause will match all of the rest of IP space. As long as either clause is
satisfied, it's a match.
And it has to work this way, unless the syntax changes to allow substantially
more complex expressions. If the existing , became an "AND" operation things
like [10.0.0.1/32,10.0.0.2/32] would not work correctly. That would suddenly
become a match of nothing, instead of a match of either of two IPs.
More information about the Snort-sigs