[Snort-users] "!" not acceptable in rules.base?

Geoffrey Goodrum ggoodrum at ...513...
Mon Sep 25 16:02:27 EDT 2000


Sorry if this has been answered before, but I'm new to the list and did
not find it in the archives for the past month.

I am using kernel v2.2.16 on Red Hat Linux v6.1 (i386).

I've been using snort v1.6.0 from the Red Hat RPM on whitehats.com since
May. I just downloaded and installed v1.6.3 from the SRPM on the snort.org
site.

The rules.base file created by the RPM installation puts double quotes
around the INTERNAL var IP address (var INTERNAL "140.90.224.10"/32),
which results in the messages log entry:

Sep 25 15:16:53 perigee snort: ERROR /etc/snort/vision.rules (1) => Rule
IP addr ("140.90.224.10") didn't x-late, WTF? 

and snort dies.  I fixed that by removing the quotes.  I also
wanted INTERNAL to be everything in my subnet, so I now have:

var INTERNAL 140.90.224.0/24

and that seems to work.

However, I want EXTERNAL to be everything not INTERNAL (like the
vision.conf setting), not "any" as specified in the rules.base.  
Following the documented snort IP Address convention, I use:

var EXTERNAL !140.90.224.0/24

but this also gives:

Sep 25 14:50:11 perigee snort: ERROR /etc/snort/rules.base (6) => Rule IP
addr ("!140.90.224.0") didn't x-late, WTF? 

Bottom line is I want EXTERNAL to be everything outside my subnet,
otherwise my internal Big Brother network scans get logged.  What
is the correct syntax?

TIA!

Geof




More information about the Snort-users mailing list