[Snort-sigs] Var that don't work
thierry.chich at ...2579...
Tue Sep 11 03:48:22 EDT 2007
Le lundi 10 septembre 2007 22:06, vous avez écrit :
> Thierry CHICH wrote:
> > I would adapt the rules
> > BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
> > to my network. Since I have a lot of RFC1918 computers that are not in my
> > HOME_NET, I have a lot of FP.
> > I try the following method. I had the following variables in
> > the /etc/snort/snort.conf:
> > var RFC1918 [192.168/16,172.16/12,10/8]
> > var INTERNET !$RFC1918
> > I modify the rules as :
> > alert tcp $INTERNET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT
> > EVENTS
> > But it doesn't work.
Thanks to Joel (and to an anonymous french guy :)). It seems to work if I
write the variable as :
var RFC1918 [192.168.0.0/16,172.16.0.0/12,10.0.0.0/8]
I am a little bit dubious.
I have written my HOME_NET as
var HOME_NET [192.168.18/24,192.168.22/24,172.23.230/20,172.12.240/20]
and it doesn't seem to bother snort.
> Hi Thierry,
> Which version of Snort?
> When you say that it doesn't work, do you mean that Snort is still
> throwing false positives after making your change?
I had a lot of false positives. Even more than before having modify the rule.
EXTERNAL_NET didn't contain my HOME_NET !
> In 2.7 and earlier, doing ![192.168/16,172.16/12,10/8] should exclude
> each of those address blocks correctly. Though, do note, if you
> actually wrote: [!192.168/16,!172.16/12,!10/8], it will match any IP
> since the comma is treated as a logical OR (In 2.8, the behavior is now
> to treat each comma separated IP as an AND).
Thanks to your answer. I think I will try snort 2.8 when it become stable, an
dI will be sure that I can use the flexresp2.
More information about the Snort-sigs