[Snort-sigs] Var that don't work

Adam Keeton akeeton at ...435...
Mon Sep 10 16:06:29 EDT 2007


Thierry CHICH wrote:
> I would adapt the rules 
> BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
> to my network. Since I have a lot of RFC1918 computers that are not in my 
> HOME_NET, I have a lot of FP.
>
> I try the following method. I had the following variables in 
> the /etc/snort/snort.conf:
>
> var RFC1918 [192.168/16,172.16/12,10/8]
> var INTERNET !$RFC1918
>
>
>
> I modify the rules as :
> alert tcp $INTERNET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS 
>
> But it doesn't work.
>
>   
Hi Thierry,

Which version of Snort?

When you say that it doesn't work, do you mean that Snort is still
throwing false positives after making your change?

In 2.7 and earlier, doing ![192.168/16,172.16/12,10/8] should exclude
each of those address blocks correctly.  Though, do note, if you
actually wrote: [!192.168/16,!172.16/12,!10/8], it will match any IP
since the comma is treated as a logical OR (In 2.8, the behavior is now
to treat each comma separated IP as an AND).

If you can't get it working, can you send a PCAP and your snort.conf to
bugs at ...95...? 

-- 
Adam Keeton      Software Engineer
Snort Team       Sourcefire,Inc   
www.snort.org    www.sourcefire.com





More information about the Snort-sigs mailing list