[Snort-users] Question on port lists and negation

Jason security at ...5028...
Tue Oct 9 15:20:18 EDT 2007



Matt Kettler wrote:
> Jason wrote:
> 
>>> Hi Matt,
>>>
>>> Thanks for your comments.  I don't understand why these packets are
>>> "no different".  The MY_HTTP_PORTS variable includes 8000.  If I
>>> negate MY_HTTP_PORTS in my rule, why do I get an alert on
>>> 192.168.2.105:50970 -> 192.168.2.103:8000?  Is it because port 8000 in
>>> the packet is not other ports in the variable, like 80, 81, etc.?
>>
>> NOTE: I've not had a chance to look at the code, I could be wrong,
>> please verify.
>>
>> I think there may two issues working together.
>>
>> 1) not(80 and 81 and 82...) is different than (not 81 and not 81...)
>> 2) not(80 and 81 and 82...) will always be true
> 
> By that same logic, [80,81,82..] aka (80 and 81 and 82) would always be
> false, which would make the syntax completely worthless.
> 
> AFAIK, all the "comma" operators are OR operators, not AND. It's the
> only sensible operator to use here.
> 
> so ![80,81,82..] is:
> 
> not (80 or 81 or 82)
> 
> and it should work the way you expect.
> 
> However, with OR you have to be careful of trying to negate inside the
> brackets,
> ie: [!80,!81,!82..] would become:
> 
> (not 80) or (not 81) or (not 82)
> 
> which is always true...
> 

I readily admit I did not put a lot of thought into it. So... Which way
is it?

(80 == (80 | 80))       :       1
(80 == !(80 | 80))      :       0
!(80 == (80 | 80))      :       0
(80 == (!80 | !80))     :       0
(80 == (80 | 81))       :       0
(80 == !(80 | 81))      :       0
!(80 == (80 | 81))      :       1
(80 == (!80 | !81))     :       0
(80 == (80 & 80))       :       1
(80 == !(80 & 80))      :       0
!(80 == (80 & 80))      :       0
(80 == (!80 & !80))     :       0
(80 == (80 & 81))       :       1
(80 == !(80 & 81))      :       0
!(80 == (80 & 81))      :       0
(80 == (!80 & !81))     :       0
(80 == (80 || 80))      :       0
(80 == !(80 || 80))     :       0
!(80 == (80 || 80))     :       1
(80 == (!80 || !80))    :       0
(80 == (80 || 81))      :       0
(80 == !(80 || 81))     :       0
!(80 == (80 || 81))     :       1
(80 == (!80 || !81))    :       0
(80 == (80 && 80))      :       0
(80 == !(80 && 80))     :       0
!(80 == (80 && 80))     :       1
(80 == (!80 && !80))    :       0
(80 == (80 && 81))      :       0
(80 == !(80 && 81))     :       0
!(80 == (80 && 81))     :       1
(80 == (!80 && !81))    :       0









More information about the Snort-users mailing list