[Snort-sigs] Var that don't work

Thierry CHICH thierry.chich at ...2579...
Tue Sep 11 03:48:22 EDT 2007


Le lundi 10 septembre 2007 22:06, vous avez écrit :
> Thierry CHICH wrote:
> > I would adapt the rules
> > BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack
> > to my network. Since I have a lot of RFC1918 computers that are not in my
> > HOME_NET, I have a lot of FP.
> >
> > I try the following method. I had the following variables in
> > the /etc/snort/snort.conf:
> >
> > var RFC1918 [192.168/16,172.16/12,10/8]
> > var INTERNET !$RFC1918
> >
> >
> >
> > I modify the rules as :
> > alert tcp $INTERNET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT
> > EVENTS
> >
> > But it doesn't work.
>

Thanks to Joel (and to an anonymous french guy :)). It seems to work if I 
write the variable as :

var RFC1918 [192.168.0.0/16,172.16.0.0/12,10.0.0.0/8]

I am a little bit dubious. 
I have written my HOME_NET as 
var HOME_NET [192.168.18/24,192.168.22/24,172.23.230/20,172.12.240/20]

and it doesn't seem to bother snort.

> Hi Thierry,
>
> Which version of Snort?

snort 2.6 
>
> When you say that it doesn't work, do you mean that Snort is still
> throwing false positives after making your change?
I had a lot of false positives. Even more than before having modify the rule. 
EXTERNAL_NET didn't contain my HOME_NET !

> In 2.7 and earlier, doing ![192.168/16,172.16/12,10/8] should exclude
> each of those address blocks correctly.  Though, do note, if you
> actually wrote: [!192.168/16,!172.16/12,!10/8], it will match any IP
> since the comma is treated as a logical OR (In 2.8, the behavior is now
> to treat each comma separated IP as an AND).

Thanks to your answer. I think I will try snort 2.8 when it become stable, an 
dI will be sure that I can use the flexresp2.


Thierry




More information about the Snort-sigs mailing list