[Snort-users] Host negation in rules.

Scott A. McIntyre scott at ...1050...
Fri Jan 26 08:20:53 EST 2001


Hi,

I'm having a devil of a time getting this to work:

alert tcp $EXTERNAL_NET any -> [!194.109.6.66/32,$HOME_NET] 53 (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP; offset: 13;)


Basically, I want to ignore DNS Zone transfers from 194.109.6.66/32 --
I've tried flipping the order of that list around (home net first, then
the node in question), but that doesn't seem to catch it either.

A packet that triggered it, for example, is:

01/26-14:10:53.107228 xxx.xxx.xxx.xx:54644 -> 194.109.6.66:53
TCP TTL:122 TOS:0x0 ID:58118 IpLen:20 DgmLen:186 DF
***AP*** Seq: 0xD385F0BD  Ack: 0xF93B333D  Win: 0x4470  TcpLen: 20
00 90 6E EA 00 00 00 01 00 01 00 00 00 00 0F 31  ..n............1
30 34 37 39 37 32 30 32 30 32 34 32 2D 32 00 00  047972020242-2..
F9 00 01 0F 31 30 34 37 39 37 32 30 32 30 32 34  ....104797202024
32 2D 32 00 00 F9 00 FF 00 00 00 00 00 54 03 67  2-2..........T.g
73 73 09 6D 69 63 72 6F 73 6F 66 74 03 63 6F 6D  ss.microsoft.com
00 3A 71 76 7C 3A 72 C7 FC 00 03 00 00 00 31 4E  .:qv|:r.......1N
54 4C 4D 53 53 50 00 01 00 00 00 97 B2 00 E0 09  TLMSSP..........
00 09 00 28 00 00 00 08 00 08 00 20 00 00 00 4E  ...(....... ...N
54 53 45 52 56 45 52 42 41 52 4E 48 4F 4F 52 4E  TSERVERXXXXXXXXX
00 00                                            ..


(I think this is a false alert anyway, but, be that as it may, I'm still
confused how best to include some networks, but exclude specific hosts,
from a rule matching).

Thanks!

Scott


p.s. Yes, $HOME_NET is defined as 194.109.6.0/24






More information about the Snort-users mailing list