[Snort-users] Bewildered, Multiple subnets/Vars/Negation

Matt Sheridan slavetotruth at ...125...
Thu Mar 3 10:21:59 EST 2005


All - I need your help, I cannot figure out what I am missing. I have 
followed snort doc's/FAQ's as best I can, yet functionality for negating 
multiple networks - as another variable or directly - does not work. I am 
very frustrated.

Basically, I want to have a variable to use for "everything but these 
networks" Simple right? Similar to EXTERNAL_NET...

So I have a list that I want to define as "INSIDE" and the negation as 
"OUTSIDE"

First I tried:

Var INSIDE 
[199.130.0.0/16,10.0.0.0/8,159.0.0.0/8,172.0.0.0/8,77.0.0.0/8,192.168.0.0/16]

(and)

Var OUTSIDE !$INDSIDE

for use in a rule such as:

alert tcp $OUTSIDE any -> any any ....

But application of OUTSIDE (while "accepted" (-T) by snort) doesnt work as 
it should... subnets from the INSIDE var STILL trigger.... ?!

(I tried making "var OUTSIDE ![$INSIDE]" also, accepted, but same deal)

Fine.

So I will just define OUTSIDE by itself. This is where I became COMPLETELY 
bewildered....

var OUTSIDE 
![199.130.0.0/16,10.0.0.0/8,159.0.0.0/8,172.0.0.0/8,77.0.0.0/8,192.168.0.0/16]

THAT should do it... Nope. By the way, before you tell me to read the docs, 
the The Snort FAQ's state:

quote**********************

will NOT work:

    var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]

but this will work:

    var EXTERNAL_NET ![192.168.40.0/24,10.14.0.0/16]

quote**********************

So my syntax is correct.

However, I apply this new, specific, "as FAQ'ed" var to the NETBIOS NT NULL 
session rules (530)

alert tcp $OUTSIDE any -> $HOME_NET 139 (msg:"NETBIOS NT NULL 
session";.....)

and I still trigger on subnets listed directly in the OUTSIDE var.... ?!


So, it doesnt work when you negate a standard variable (with many subnets), 
and it didnt work when I specifically negated the list (as per FAQ) directly 
in the variable....

I must be missing something simple, but can you please help? I feel crazy.

For the record:
RH, running 2.3.0

from .conf: (slightly obfuscated)
var INSIDE 
[199.130.0.0/16,188.166.0.0/16,192.168.0.0/16,77.0.0.0/8,172.0.0.0/8,10.0.0.0/8]

var OUTSIDE 
![199.130.0.0/16,188.166.0.0/16,192.168.0.0/16,77.0.0.0/8,172.0.0.0/8,10.0.0.0/8]

One Rule that trips when it shouldnt:
alert tcp $OUTSIDE any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; 
flow:to_server,established; content:"|00 00 00 00|W|00|i|00|
n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; 
reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-
0347; classtype:attempted-recon; priority:2; sid:530; rev:10;)


If Im an idiot, please tell me where!!

-Matt






More information about the Snort-users mailing list