[Snort-users] Question on port lists and negation

Matt Kettler mkettler at ...4108...
Tue Oct 9 18:01:18 EDT 2007


Jason wrote:
> 
> Matt Kettler wrote:
>> Jason wrote:
>>
>>>> Hi Matt,
>>>>
>>>> Thanks for your comments.  I don't understand why these packets are
>>>> "no different".  The MY_HTTP_PORTS variable includes 8000.  If I
>>>> negate MY_HTTP_PORTS in my rule, why do I get an alert on
>>>> 192.168.2.105:50970 -> 192.168.2.103:8000?  Is it because port 8000 in
>>>> the packet is not other ports in the variable, like 80, 81, etc.?
>>> NOTE: I've not had a chance to look at the code, I could be wrong,
>>> please verify.
>>>
>>> I think there may two issues working together.
>>>
>>> 1) not(80 and 81 and 82...) is different than (not 81 and not 81...)
>>> 2) not(80 and 81 and 82...) will always be true
>> By that same logic, [80,81,82..] aka (80 and 81 and 82) would always be
>> false, which would make the syntax completely worthless.
>>
>> AFAIK, all the "comma" operators are OR operators, not AND. It's the
>> only sensible operator to use here.
>>
>> so ![80,81,82..] is:
>>
>> not (80 or 81 or 82)
>>
>> and it should work the way you expect.
>>
>> However, with OR you have to be careful of trying to negate inside the
>> brackets,
>> ie: [!80,!81,!82..] would become:
>>
>> (not 80) or (not 81) or (not 82)
>>
>> which is always true...
>>
> 
> I readily admit I did not put a lot of thought into it. So... Which way
> is it?

A comma inside the [] for a port or IP on a rule is an OR operator, and a 
BOOLEAN OR at that.

It CANNOT be an AND, as it would be dysfunctional to the point of making any 
rule using [a,b] completely pointless. It would never match anything if a and b 
were not equal, and at that point, it is stupid.


Your large table of operations confuses me greatly, but it may be because I 
don't understand your syntax.

> (80 == !(80 || 80))     :       0
> !(80 == (80 || 80))     :       1

What are those two supposed to represent, logically speaking, and how do they 
differ?

 From my C-code centered view I read (80 == !(80 || 80)) as:

(80 "is equal to" not ( 80 BOOLEAN OR 80))

Which is nonsense. You don't boolean OR together two integers. You can, but it's 
pointless nonsense.

using [80,81] in for a dport rule would be read as:

match if dport is equal to 80 or dport is equal to 81.

Which I would express as:

(dport == 80 || dport == 81)
















More information about the Snort-users mailing list