[Snort-users] Excluding a single IP from HOME_NET

Cees celzinga at ...11827...
Thu May 29 11:25:02 EDT 2008


List,

Is it possible to exclude a single IP from HOME_NET?

Imagine a network that uses the 10.0.0.0/8 range, and HOME_NET and
EXTERNAL_NET are defined as follows:

var HOME_NET [10.0.0.0/8]
var EXTERNAL_NET !$HOME_NET

Now image all clients connect to the internet via a proxy server, eg
10.0.0.1. The problem arises that this setup won't detect any malware
infections, since (allmost) all malware rules are written for client in
HOME_NET accessing EXTERNAL_NET, eg:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
180solutions Update Engine"; flow: to_server,established; content:"GET";
depth: 3; content:"Host|3a|"; within: 300; content:".1
80solutions.com"; within: 40; reference:url,
www.safer-networking.org/index.php?page=threats&detail=212; classtype:
trojan-activity; sid: 2000930; rev:7;)

Is there any way to exclude the proxy server from HOME_NET?

An ideal solution would be something like:
var PROXY_SERVER = [10.0.0.1]
var HOME_NET [10.0.0.0/8, !$PROXY_SERVER]
var EXTERNAL_NET !$HOME_NET

However, this syntax results in an error in the sfportscan preprocessor:
ERROR: snort.conf(x) => Invalid ip_list to 'watch_ip' option (snort 2.8.1)

Any ideas?

Thanks, Cees
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080529/a0ee1745/attachment.html>


More information about the Snort-users mailing list