[Snort-sigs] Basic question [] syntax question about excluding a subnet of a larger subnet...

Matt Kettler mkettler at ...189...
Thu Mar 16 12:51:02 EST 2006


Gentoo-Wally wrote:
>  
> Question...
>  
> What is the correct way to exclude a subnet from a larger network in a
> signature?

You have to define it as multiple subnet additions. You can't subtract out a
range that's already been added, because the behavior of a , is an "or"
operation, not an AND.

>  
> var NET1 10.0.0.0/8 <http://10.0.0.0/8>
> var NET2 10.7.0.0/16 <http://10.7.0.0/16>
> var NET3 10.14.0.0/16 <http://10.14.0.0/16>
>  
> alert tcp [$NET1,!$NET2] ANY -> $NET3 ANY ...blah, blah, blah...
>  
> Is that the right way to watch for something from NET1 but not in NET2

No. That won't work, you can't do subtraction.

[$NET1,!$NET2]  will match anything in NET1 *OR* anything not in NET2.

Since net2 is a subset of net1 this makes it a logical equivalent to "any". The
first clause will match all of net1, *including* the IPs in net2. The second
clause will match all of the rest of IP space. As long as either clause is
satisfied, it's a match.

And it has to work this way, unless the syntax changes to allow substantially
more complex expressions. If the existing , became an "AND" operation things
like [10.0.0.1/32,10.0.0.2/32] would not work correctly. That would suddenly
become a match of nothing, instead of a match of either of two IPs.











More information about the Snort-sigs mailing list