[Snort-users] home_net and ext_net question

Matt Kettler mkettler at ...4108...
Fri Apr 25 10:15:05 EDT 2003


At 12:10 PM 4/25/2003 -0400, L. Christopher Luther wrote:
>It is my understanding that if you have a rule that is something like "alert
>tcp $EXTERNAL_NET any -> $HOME_NET 80 ..." you could actually get alerts
>from within the 10.0.2.0 network.
>
>Why?  Because Snort performs a first match between source address and
>destination.  Therefore, a packet from 10.0.2.0/24 satisfies the
>!10.0.1.0/24.
>
>Maybe I'm mixed up here (always a good possibility), but I seem to remember
>that when multiple networks are included in a rule the rule treats the
>networks in an OR fashion not an AND fashion.

You're mixed up in logic.

Snort does treat comma'ed lists in an OR fashion, but because the ! is 
outside the braces it happens *after* the or is already done, making it NOT 
(A OR B). Which according do De Morgan's theorem is logically equivalent to 
(NOT A) AND (NOT B).

The "funny things" will only happen in the absence of the brackets, or if 
you try to do this common mistake:
[!a.a.a.a/24, !b.b.b.b/24]

Which is equivalent to any if a and b don't overlap.








More information about the Snort-users mailing list