[Snort-users] CIDR address problem

Kevin M. Myer kevin_myer at ...112...
Thu Jul 20 12:38:37 EDT 2000


Hi,

I have two problems which I hope someone can help me with.  The first is
that I have about 7 networks that I'd like to treat as internal.  Judging
from the example config file, if I simple define multiple instances of the
INTERNAL variable, this is equivalent to doing a logical AND of all the
networks that are internal.  However, I'm not quite sure I have this
correct - does snort build rules line by line?  In other words, if I have
defined INTERNAL twice, does it first build a list of rules with the first
instance of INTERNAL and then build another list with the second instance
of INTERNAL?  If so, wouldn't it be more convenient to allow a variable
like INTERNAL to be parsed as a comma-delimited list of networks/hosts?  
Probably the rules parsing would have to be expanded to include
something like a logical OR.  I think it would simplify configuration
greatly.  Furthermore, it would make something like:

var EXTERNAL = '!$INTERNAL'

possible (syntax might be off but basically prepend a ! before the shell
expansion of $INTERNAL).  As it stands, at least in my understanding, the
EXTERNAL variable can only be set to one network.  And while its possible
to move up the CIDR tree to a network designation that covers most of my
networks, that also excludes some other, potentially rogue internal
networks, that I DO want to monitor from being watched by snort. 

Issue 2 - because I'm not quite sure of the multiple networks syntax, I
just went ahead and lumped everything into one network,
172.0.0.0/8.  However, snort doesn't seem to be happy with that CIDR
designation.  In reality, I really only want to treat 172.19.5.0/24,
172.19.6.0/24, 172.19.7.0/24, 172.19.8.0/24, 172.19.9.0/24 and
172.21.1.0/24 as internal and everything else as external.  But lumping
them all under 172.0.0.0/8 should work (although it includes many more
networks - the potentially rogue ones I described above).  I'm curious why
172.0.0.0/8 fails - snort complains about not liking that CIDR address in
the logs.  

I'll show you my basic config in case its not clear what I want to
do.  Keep in mind that what I want to end up with is the 6 class C's
treated as internal addresses and the rest as external.

var	INTERNAL	172.19.5.0/24
var	EXTERNAL	!172.19.5.0/24

preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log

include /etc/snort/vision.rules

var	INTERNAL	172.19.6.0/24
<<<< Can I redeclare an EXTERNAL variable here as well?? >>>
include /etc/snort/vision.rules
...
repeated for remaining networks


What I would like to be able to do:

var INTERNAL 172.19.5.0/24, 172.19.6.0/24, 172.19.7.0/24, 172.19.8.0/24, \
172.19.9.0/24, 172.21.1.0/24
var EXTERNAL !$INTERNAL

<<<preprocessor stuff>>>
include /etc/snort/vision.rules

If it helps any, I am using snort 1.6.2.2 from the RPM with Linux.

Thanks for a very capable software program!

Kevin
-- 
Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717)-560-6140





More information about the Snort-users mailing list