[Snort-sigs] Var that don't work
akeeton at ...435...
Mon Sep 10 16:06:29 EDT 2007
Thierry CHICH wrote:
> I would adapt the rules
> BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
> to my network. Since I have a lot of RFC1918 computers that are not in my
> HOME_NET, I have a lot of FP.
> I try the following method. I had the following variables in
> the /etc/snort/snort.conf:
> var RFC1918 [192.168/16,172.16/12,10/8]
> var INTERNET !$RFC1918
> I modify the rules as :
> alert tcp $INTERNET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS
> But it doesn't work.
Which version of Snort?
When you say that it doesn't work, do you mean that Snort is still
throwing false positives after making your change?
In 2.7 and earlier, doing ![192.168/16,172.16/12,10/8] should exclude
each of those address blocks correctly. Though, do note, if you
actually wrote: [!192.168/16,!172.16/12,!10/8], it will match any IP
since the comma is treated as a logical OR (In 2.8, the behavior is now
to treat each comma separated IP as an AND).
If you can't get it working, can you send a PCAP and your snort.conf to
bugs at ...95...?
Adam Keeton Software Engineer
Snort Team Sourcefire,Inc
More information about the Snort-sigs