[Snort-users] IP Address's in Rule

Robby Desmond rdesmond at ...6547...
Thu Oct 10 08:14:04 EDT 2002


At 12:57 PM 10/9/02 -0400, Mike McCabe wrote:
>How do I include specific IP addresses in a rule.  Say I want to have
>certain IP addresses not looked at and still want the rule to use
>EXTERNAL_NET...  Something like:
>
>alert tcp [!X.Y.W.Z/32,!A.B.C.D/32,!E.F.G.H/32,$EXTERNAL_NET] any ->
>$HOME_NET 53 (msg:"DNS zone transfer"; content: "|00 00 FC|"; flags: A+;
>offset: 13; reference:arachnids,212; classtype:attempted-recon; sid:255;
>rev:2;)
>
>But it doesn't seem to work...
>
>Any help would be appreciated...
>
>Mike

Well, the problem is this, the commas in a snort IP list are logical ORs. 
If $EXTERNAL_NET includes x.y.w.z or a.b.c.d or e.f.g.h, the alert will 
still fire.  If I am wrong about this, I wish one of the snort people would 
tell me, because all of my past experience with snort has told me that this 
is the case.

Of course, it makes sense, since creating a rule that listed 
[f.b.m.c,r.t.d.u] would mean you wanted both of them checked, which is a 
logical OR.

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list