[Snort-users] CIDR address problem

Kevin M. Myer kevin_myer at ...112...
Thu Jul 20 12:38:37 EDT 2000


I have two problems which I hope someone can help me with.  The first is
that I have about 7 networks that I'd like to treat as internal.  Judging
from the example config file, if I simple define multiple instances of the
INTERNAL variable, this is equivalent to doing a logical AND of all the
networks that are internal.  However, I'm not quite sure I have this
correct - does snort build rules line by line?  In other words, if I have
defined INTERNAL twice, does it first build a list of rules with the first
instance of INTERNAL and then build another list with the second instance
of INTERNAL?  If so, wouldn't it be more convenient to allow a variable
like INTERNAL to be parsed as a comma-delimited list of networks/hosts?  
Probably the rules parsing would have to be expanded to include
something like a logical OR.  I think it would simplify configuration
greatly.  Furthermore, it would make something like:


possible (syntax might be off but basically prepend a ! before the shell
expansion of $INTERNAL).  As it stands, at least in my understanding, the
EXTERNAL variable can only be set to one network.  And while its possible
to move up the CIDR tree to a network designation that covers most of my
networks, that also excludes some other, potentially rogue internal
networks, that I DO want to monitor from being watched by snort. 

Issue 2 - because I'm not quite sure of the multiple networks syntax, I
just went ahead and lumped everything into one network,  However, snort doesn't seem to be happy with that CIDR
designation.  In reality, I really only want to treat,,,, and as internal and everything else as external.  But lumping
them all under should work (although it includes many more
networks - the potentially rogue ones I described above).  I'm curious why fails - snort complains about not liking that CIDR address in
the logs.  

I'll show you my basic config in case its not clear what I want to
do.  Keep in mind that what I want to end up with is the 6 class C's
treated as internal addresses and the rest as external.


preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log

include /etc/snort/vision.rules

<<<< Can I redeclare an EXTERNAL variable here as well?? >>>
include /etc/snort/vision.rules
repeated for remaining networks

What I would like to be able to do:

var INTERNAL,,,, \,

<<<preprocessor stuff>>>
include /etc/snort/vision.rules

If it helps any, I am using snort from the RPM with Linux.

Thanks for a very capable software program!

Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13

More information about the Snort-users mailing list