[Snort-users] home_net and ext_net question

L. Christopher Luther CLuther at ...6333...
Fri Apr 25 09:11:03 EDT 2003


Let's take the "funny things" a little farther.  In the example: 

    var HOME_NET      [10.0.1.0/24,10.0.2.0/24]
    var EXTERNAL_NET  !$HOME_NET

It is my understanding that if you have a rule that is something like "alert
tcp $EXTERNAL_NET any -> $HOME_NET 80 ..." you could actually get alerts
from within the 10.0.2.0 network.  

Why?  Because Snort performs a first match between source address and
destination.  Therefore, a packet from 10.0.2.0/24 satisfies the
!10.0.1.0/24.  

Maybe I'm mixed up here (always a good possibility), but I seem to remember
that when multiple networks are included in a rule the rule treats the
networks in an OR fashion not an AND fashion.  

Do any of the Snort Dev Team want to comment on this?  Marty?!  


-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Thursday, April 24, 2003 6:37 PM
To: Snort-Users (E-mail)
Subject: RE: [Snort-users] home_net and ext_net question


At 02:38 PM 4/24/2003 -0700, Everist, Benjamin S. (NASWI) wrote:

><snip>
> >Having HOME_NET encapsulate two or more networks can do funny things to
the
> >Snort rules when one simply negates EXTERNAL_NET (i.e., var EXTERNAL_NET
> >!$HOME_NET, or some variant).
>
>What kinds of funny things?


It will do funny things if you try to do HOME_NET as a comma-delimited list 
and forget to put ['s around it. Otherwise it should be fine.

![10.0.0.0/8,192.168.1.0/24] is different than ! 10.0.0.0/8,192.168.1.0/24

I suspect this is where the "funny things" experience comes in, from 
someone errantly declaring:

var HOME_NET 10.0.0.0/8,192.168.1.0/24
var EXTERNAL_NET !$HOME_NET


Ooops. 





More information about the Snort-users mailing list