[Snort-users] home_net and ext_net question
L. Christopher Luther
CLuther at ...6333...
Fri Apr 25 10:29:07 EDT 2003
Thank you for the clarification. I fully understand De Morgan's theorem,
being very proficient C/C++/VB/etc. programmer, network admin, etc. I just
didn't understand that the brackets acted like parentheses -- I thought the
brackets were only required to group multiple values together during a 'var'
But now I am more 'enlightened' in the parsing functionality of Snort.
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Friday, April 25, 2003 1:13 PM
To: L. Christopher Luther; 'Everist, Benjamin S. (NASWI)'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] home_net and ext_net question
At 12:10 PM 4/25/2003 -0400, L. Christopher Luther wrote:
>It is my understanding that if you have a rule that is something like
>tcp $EXTERNAL_NET any -> $HOME_NET 80 ..." you could actually get alerts
>from within the 10.0.2.0 network.
>Why? Because Snort performs a first match between source address and
>destination. Therefore, a packet from 10.0.2.0/24 satisfies the
>Maybe I'm mixed up here (always a good possibility), but I seem to remember
>that when multiple networks are included in a rule the rule treats the
>networks in an OR fashion not an AND fashion.
You're mixed up in logic.
Snort does treat comma'ed lists in an OR fashion, but because the ! is
outside the braces it happens *after* the or is already done, making it NOT
(A OR B). Which according do De Morgan's theorem is logically equivalent to
(NOT A) AND (NOT B).
The "funny things" will only happen in the absence of the brackets, or if
you try to do this common mistake:
Which is equivalent to any if a and b don't overlap.
More information about the Snort-users