[Snort-users] Question on port lists and negation
mkettler at ...4108...
Tue Oct 9 18:01:18 EDT 2007
> Matt Kettler wrote:
>> Jason wrote:
>>>> Hi Matt,
>>>> Thanks for your comments. I don't understand why these packets are
>>>> "no different". The MY_HTTP_PORTS variable includes 8000. If I
>>>> negate MY_HTTP_PORTS in my rule, why do I get an alert on
>>>> 192.168.2.105:50970 -> 192.168.2.103:8000? Is it because port 8000 in
>>>> the packet is not other ports in the variable, like 80, 81, etc.?
>>> NOTE: I've not had a chance to look at the code, I could be wrong,
>>> please verify.
>>> I think there may two issues working together.
>>> 1) not(80 and 81 and 82...) is different than (not 81 and not 81...)
>>> 2) not(80 and 81 and 82...) will always be true
>> By that same logic, [80,81,82..] aka (80 and 81 and 82) would always be
>> false, which would make the syntax completely worthless.
>> AFAIK, all the "comma" operators are OR operators, not AND. It's the
>> only sensible operator to use here.
>> so ![80,81,82..] is:
>> not (80 or 81 or 82)
>> and it should work the way you expect.
>> However, with OR you have to be careful of trying to negate inside the
>> ie: [!80,!81,!82..] would become:
>> (not 80) or (not 81) or (not 82)
>> which is always true...
> I readily admit I did not put a lot of thought into it. So... Which way
> is it?
A comma inside the  for a port or IP on a rule is an OR operator, and a
BOOLEAN OR at that.
It CANNOT be an AND, as it would be dysfunctional to the point of making any
rule using [a,b] completely pointless. It would never match anything if a and b
were not equal, and at that point, it is stupid.
Your large table of operations confuses me greatly, but it may be because I
don't understand your syntax.
> (80 == !(80 || 80)) : 0
> !(80 == (80 || 80)) : 1
What are those two supposed to represent, logically speaking, and how do they
From my C-code centered view I read (80 == !(80 || 80)) as:
(80 "is equal to" not ( 80 BOOLEAN OR 80))
Which is nonsense. You don't boolean OR together two integers. You can, but it's
using [80,81] in for a dport rule would be read as:
match if dport is equal to 80 or dport is equal to 81.
Which I would express as:
(dport == 80 || dport == 81)
More information about the Snort-users