[Snort-users] IP Address's in Rule

Matt Kettler mkettler at ...4108...
Wed Oct 9 11:13:08 EDT 2002


The comma'ed list of IP's is a logical OR operation so:

[!X.Y.W.Z/32, !A.B.C.D/32] is the same thing as any, and your longer list 
is also the equivalent of any.


This happens because it it will match anything which is (not X.Y.W.Z) OR 
(not A.B.C.D). This set effectively matches X.Y.W.Z, because it matches the 
!A.B.C.D part, and it will also A.B.C.D, because it matches the !X.Y.W.Z, 
and any other IP will match both.


In your case you'll likely want to do something like this:

var OK_TO_DNSXFER [X.Y.W.Z/32, A.B.C.D/32,E.F.G.H/32,<insert other IP's 
allowed to do xfers here>]

alert tcp !$OK_TO_DNSXFER any ->
$HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+;
offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:1000255;
rev:1;)


Note that I have the ! outside the list in this case. Which means it will 
be NOT (X.Y.W.Z OR A.B.C.D OR E.F.H.G OR <whatever else>). Instead of (NOT 
X.Y.W.Z) OR (NOT A.B.C.D) OR (NOT E.F.H.G) etc.

Note the subtle difference, saying  "I will accept anything which is not an 
apple or an orange" is very different than saying "I will accept anything 
which is not an apple, or I will accept anything which is not an orange".


At 12:57 PM 10/9/2002 -0400, Mike McCabe wrote:
>How do I include specific IP addresses in a rule.  Say I want to have
>certain IP addresses not looked at and still want the rule to use
>EXTERNAL_NET...  Something like:
>
>alert tcp [!X.Y.W.Z/32,!A.B.C.D/32,!E.F.G.H/32,$EXTERNAL_NET] any ->
>$HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+;
>offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:255;
>rev:2;)
>
>But it doesn't seem to work...
>
>Any help would be appreciated...
>
>Mike





More information about the Snort-users mailing list