[Snort-users] CIDR address problem
Kevin M. Myer
kevin_myer at ...112...
Thu Jul 20 12:38:37 EDT 2000
I have two problems which I hope someone can help me with. The first is
that I have about 7 networks that I'd like to treat as internal. Judging
from the example config file, if I simple define multiple instances of the
INTERNAL variable, this is equivalent to doing a logical AND of all the
networks that are internal. However, I'm not quite sure I have this
correct - does snort build rules line by line? In other words, if I have
defined INTERNAL twice, does it first build a list of rules with the first
instance of INTERNAL and then build another list with the second instance
of INTERNAL? If so, wouldn't it be more convenient to allow a variable
like INTERNAL to be parsed as a comma-delimited list of networks/hosts?
Probably the rules parsing would have to be expanded to include
something like a logical OR. I think it would simplify configuration
greatly. Furthermore, it would make something like:
var EXTERNAL = '!$INTERNAL'
possible (syntax might be off but basically prepend a ! before the shell
expansion of $INTERNAL). As it stands, at least in my understanding, the
EXTERNAL variable can only be set to one network. And while its possible
to move up the CIDR tree to a network designation that covers most of my
networks, that also excludes some other, potentially rogue internal
networks, that I DO want to monitor from being watched by snort.
Issue 2 - because I'm not quite sure of the multiple networks syntax, I
just went ahead and lumped everything into one network,
126.96.36.199/8. However, snort doesn't seem to be happy with that CIDR
designation. In reality, I really only want to treat 172.19.5.0/24,
172.19.6.0/24, 172.19.7.0/24, 172.19.8.0/24, 172.19.9.0/24 and
172.21.1.0/24 as internal and everything else as external. But lumping
them all under 188.8.131.52/8 should work (although it includes many more
networks - the potentially rogue ones I described above). I'm curious why
184.108.40.206/8 fails - snort complains about not liking that CIDR address in
I'll show you my basic config in case its not clear what I want to
do. Keep in mind that what I want to end up with is the 6 class C's
treated as internal addresses and the rest as external.
var INTERNAL 172.19.5.0/24
var EXTERNAL !172.19.5.0/24
preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log
var INTERNAL 172.19.6.0/24
<<<< Can I redeclare an EXTERNAL variable here as well?? >>>
repeated for remaining networks
What I would like to be able to do:
var INTERNAL 172.19.5.0/24, 172.19.6.0/24, 172.19.7.0/24, 172.19.8.0/24, \
var EXTERNAL !$INTERNAL
If it helps any, I am using snort 220.127.116.11 from the RPM with Linux.
Thanks for a very capable software program!
Kevin M. Myer
Lancaster-Lebanon Intermediate Unit 13
More information about the Snort-users